Securing Virtual Partitions with HP-UX Role-Based Access Control
Document Information
This White Paper from the Hewlett-Packard Company describes an approach to securing Virtual
Partitions using the HP-UX Role-Based Access Control (RBAC) feature.
Scope
The solution described in this paper applies to HP-UX 11i v2 (11.23) only, as HP-UX RBAC is currently
available starting with HP-UX 11i v2. While the solution in this paper does not cover HP-UX 11i v1
(11.11), a similar solution could be implemented using System Insight Manager or sudo instead of HP-
UX RBAC.
Intended Audience
This White Paper is intended for IT professionals—specifically, network officers, architects, and
administrators who perform security-related administrative functions. This document assumes the reader
has an understanding of HP-UX RBAC. Readers not familiar with HP-UX RBAC are encouraged to refer
to the HP-UX RBAC product documentation listed at the end of this document.
Terms and Definitions
Every technical field has a unique and specific vocabulary. The following table lists and briefly defines
fundamental terminology related to HP-UX RBAC and this document.
Term Definition
Authentication To verify the identity of a user, device, or other entity in a computer system, often as
a prerequisite for allowing access to resources in a system.
Authorization The process of determining whether a subject is allowed to perform an operation on
a particular resource by evaluating applicable access control information. Usually,
authorization is in the context of authentication. Once a subject is authenticated, it
may be authorized to perform different types of access. In the context of this
document, an authorization, commonly referred to as permission, specifically refers
to the pairing of an operation with an object.
Object Any system resource subject to access control, for example: a file, printer, terminal,
database record, etc.
Operation A specific mode of access to one or more protected object. In the context of this
document, an operation refers to a general action, such as backup or restore,
represented as a string such as hpux.backup. Operations are paired with objects
to form authorizations.
Principle of Least
Privilege
The concept that users should be granted the least privilege required to accomplish
their tasks.
RBAC Role-Based Access Control. A mechanism to map users to their permitted
authorizations (operation, object). Essentially an umbrella term that includes the
definitions of roles and authorizations.
Role A job function, within the context of an organization, with associated semantics
regarding the authority and responsibility given to users assigned to the role.
Subject
The originator of an action requiring an authorization decision. In the context of this
document, the term subject is synonymous with user.
Virtual Partitions The Virtual Partitions (vPars) product enables multiple instances of HP-UX to run
simultaneously on one server or nPartition by multiplexing the resources of a server
or nPartition into virtual partitions. Each virtual partition is assigned its own subset
of hardware, runs a separate instance of HP-UX, and hosts its own set of
applications. vPars provide application and OS (operating system) fault isolation.