Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

151

152

153

154

155

156

157

158

159

160

8.4.1 Planning the Roles

Planning an appropriate set of roles for the users of a system is a critical first step in

deploying HP-UX RBAC. In some enterprises, this set of roles already exists, and you can

reuse it when configuring HP-UX RBAC. More commonly, you must design the roles based

on the existing tasks associated with administrative users on the system.

Consider the following guidelines when designing roles:

• There should be considerably fewer roles than the total number of users of the system.

If each user requires a special role, then all of the simplified management associated

with the use of roles is no longer in place.

• Roles should have some relation to the actual business roles of the users.

• Users can have multiple roles, and therefore you can design some roles simply to

group authorizations common to multiple business roles. Using this approach, you

can design roles hierarchically to include different roles by including their

authorizations.

8.4.2 Planning Authorizations for the Roles

After defining roles, you can plan the authorizations associated with each role. If the

roles align with the pre-existing operation hierarchy, then assigning the authorizations

is straightforward. Enter the following command to list all the system-defined

authorizations:

# authadm list sys

If the existing authorization hierarchy does not align with your roles, defining the

authorizations associated with each role is more complex. You can use the following

steps to help:

1. List the system commands commonly used by each role.

2. Compare these commands to the commands in the /etc/rbac/cmd_priv

database.

3. If you find matching entries after performing the previous steps, use those entries as

a guide for assigning authorizations.

For example, assume one of the desired roles is UserOperator, which commonly runs

such commands as useradd, usermod, userdel, and so on. To determine what

authorizations might be appropriate for this role, enter the following command:

# grep useradd /etc/rbac/cmd_priv

/usr/sbin/useradd:dflt:(hpux.user.add,*):0/0//:dflt:dflt:dflt:

In this example, the /usr/sbin/useradd command requires the hpux.user.add

authorization. You could assign this authorization directly, or assign hpux.user.* as

the authorization.

Be careful using wildcards when assigning authorizations. Assigning this authorization

actually assigns multiple authorizations:

152 HP-UX Role-Based Access Control