HP-UX Virtual Partitions Administrator's Guide (includes A.03.05 and A.04.05)
11 vPars Flexible Administrative Capability (vPars A.03.03,
A.03.04, vPars A.04.02, A.04.03, A.05.01)
This chapter discusses the concepts and tasks on using the vPars Flexible Administrative
Capability feature (formerly called Primary-Admin vPars Security). With this feature, you can
specify vPars administration capabilities for zero, one, or more designated virtual partitions.
Only superusers within the designated virtual partitions can perform the vPars administration
commands that affect other virtual partitions; a superuser within a non-designated virtual
partition can perform only operations that affect itself.
Additionally, for this flexible administrative capability to work, all the virtual partitions must
be running the same version of vPars.
NOTE:
Applying RBAC to vPars A.04.01 White Paper You can apply the existing HP-UX Security
feature RBAC (Role-based Access Control) to vPars A.04.01. For information, see the white paper
titled Securing Virtual Partitions with HP-UX Role-Based Access Control available at
http://docs.hp.com.
HP-UX Security and other Security Applications This feature is not intended to replace existing
HP-UX security or security applications. It provides as a way to limit intentional access but is
not intended to substitute security or security application that eliminate malicious or unintentional
circumvention of commands or provide kernel level security isolation. This feature is intended
to address tighter vPars administration control requirements in certain customer deployments.
Synopsis
The vPars Flexible Administrative Capability feature restricts the usage of specific vPars commands
such that they can be successfully executed from only designated virtual partitions.
The specific vPars commands that are restricted are those that can alter other virtual partitions,
such as vparmodify or vparreset.
The designated virtual partitions are known as designated-admin virtual partitions and are designated
by being explicitly added to the designated-admin virtual partitions list. Virtual partitions that
are not in the list are considered non-designated-admin virtual partitions. When a superuser executes
a command that affects another partition from within a non-designated-admin virtual partition,
the command will fail.
When the flexible administrative capability feature is ON (enabled), a virtual partition can be
added to (or deleted from) the list from either the Monitor prompt without a password or the
HP-UX shell prompt by superusers who know the flexible administrative capability password.
The flexible administrative capability feature can be set to either ON (enabled) or OFF (disabled)
but only from the vPars Monitor prompt (MON>).
Terms and Definitions
target partition This is the virtual partition that is affected when a vPars
command is executed. For example, in the command:
# vparmodify -p winona2 -a cpu::1 ...
an attempt is made to add a CPU to winona2, so winona2
is the target virtual partition. The argument of the -p option
is the target partition.
Synopsis 285