HP-UX Virtual Partitions Administrator Guide (includes A.05.08) (5900-1312, March 2011)
11 vPars Flexible Administrative Capability
This chapter discusses the concepts and tasks on using the vPars Flexible Administrative Capability
feature (formerly called Primary-Admin vPars Security). With this feature, you can specify vPars
administration capabilities for zero, one, or more designated virtual partitions. Only superusers
within the designated virtual partitions can perform the vPars administration commands that affect
other virtual partitions; a superuser within a non-designated virtual partition can perform only
operations that affect itself.
Additionally, for this flexible administrative capability to work, all the virtual partitions must be
running the same version of vPars, except in the case of a mixed HP-UX 11i vPars environment
(such as a mixed HP-UX 11i v2/v3 vPars environment).
Flexible administrative capability is supported for vPars A.03.03 and later, vPars A.04.02 and
later, and vPars A.05.01 and later.
Flexible administrative capability is supported in mixed HP-UX 11i vPars environments. However,
HP recommends that in mixed environments the designated administrative virtual partitions be ones
that are capable of performing all administrative functions. For example, in a mixed HP-UX 11i
v2/v3 vPars environment only the HP-UX 11i v3 partitions (running vPars A.05.xx) can perform
vparmodify, vparremove, and vparcreate operations on other partitions. If only the HP-UX
11i v2 partitions were designated administrative partitions, then vPars administration abilities
would be limited for that environment.
NOTE:
Applying RBAC to vPars A.04.01 White Paper
You can apply the existing HP-UX Security feature RBAC (Role-based Access Control) to vPars
A.04.01. For information, see the white paper titled Securing Virtual Partitions with HP-UX Role-Based
Access Control available on the BSC website at http://www.hp.com/go/hpux-vpars-docs.
HP-UX Security and other Security Applications
This feature is not intended to replace existing HP-UX security or security applications. It provides
as a way to limit intentional access but is not intended to substitute security or security application
that eliminate malicious or unintentional circumvention of commands or provide kernel level security
isolation. This feature is intended to address tighter vPars administration control requirements in
certain customer deployments.
Synopsis
The vPars Flexible Administrative Capability feature restricts the usage of specific vPars commands
such that they can be successfully executed from only designated virtual partitions.
The specific vPars commands that are restricted are those that can alter other virtual partitions,
such as vparmodify or vparreset.
The designated virtual partitions are known as designated-admin virtual partitions and are
designated by being explicitly added to the designated-admin virtual partitions list. Virtual partitions
that are not in the list are considered non-designated-admin virtual partitions. When a superuser
executes a command that affects another partition from within a non-designated-admin virtual
partition, the command will fail.
When the flexible administrative capability feature is ON (enabled), a virtual partition can be
added to (or deleted from) the list from either the vPars Monitor prompt without a password or the
HP-UX shell prompt by superusers who know the flexible administrative capability password.
The flexible administrative capability feature can be set to either ON (enabled) or OFF (disabled)
but only from the vPars Monitor prompt (MON>).
Synopsis 267