Manualshelf

Securing Virtual Partitions with HP-UX Role-Based Access Control

ManualsBrandsHP ManualsSoftwareHP-UX vPars and Integrity VM v6
12345678910
7
The vPars with RBAC Solution
In typical vPars deployment environments, there are usually two types of administrative roles. For the
purposes of clarity in this document, we will refer to these two types of administrative roles as
“Operator” and “BoxAdmin”.
Operator: someone who administers a particular virtual partition, typically running as the root user.
BoxAdmin: someone who manages the entire system and has physical access to each virtual
partition.
Using HP-UX RBAC, you can assign Operators non-root roles with authorizations to perform certain
administrative tasks, and designate BoxAdmin as the only user capable of running virtual partition
commands for non-local virtual partitions. Specifically, an Operator will log in as a normal, non-root
user and perform administrative tasks such as starting or stopping a web server. In addition, an
Operator could be optionally allowed to run virtual partition commands for the local virtual partition. In
contrast, a BoxAdmin will be the only user to log in as root, and run virtual partition commands for
other virtual partitions.
The advantage of this approach is that an Operator on one virtual partition can no longer affect other
virtual partitions. Since no one except the BoxAdmin has root access to each virtual partition, the
BoxAdmin will be solely responsible for all virtual partition commands executed for other virtual
partitions, therefore full accountability can be achieved.
Be sure to carefully plan the Operator’s capabilities so that they do not lead to unconstrained root
privilege. If this occurs, then the Operator is able to affect other virtual partitions—exactly the behavior
that we are trying to avoid. Consequently, some of the administrative tasks must be transferred to the
BoxAdmin.
Note that this last limitation might not be practical for all customer environments. In those scenarios, if
you require a higher level of partitioning security, HP recommends considering other partitioning
solutions such as ‘hard’ nPartitions, or HP Integrity Virtual Machines.