Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

151

152

153

154

155

156

157

158

159

160

The following is a list and brief description of the authadm command arguments:

add Adds an authorization to the system list of valid authorizations in

/etc/rbac/auths.

delete Deletes an authorization from the system list of valid authorizations in

/etc/rbac/auths.

assign Assigns an authorization to a role and adds an entry to

/etc/rbac/role_auth.

revoke Revokes an authorization from a role and updates /etc/rbac/role_auth.

list Lists valid authorizations per system or role, and lists roles associated with

the specified operation.

IMPORTANT: Be aware that when you assign an authorization that contains the asterisk

* character, you must surround the wildcard character with quotation marks to prevent

shell interpretation, as shown in the following examples.

The following are examples of authorization creation and assignment based on Table 8-6:

# authadm add 'company.customauth.*'

authadm added auth: (company.customauth.*,*)

# authadm assign Administrator 'company.customauth.*'

authadm added auth for role Administrator

Use the list argument with the authadm command to verify the authorization

assignment, for example:

# authadm list

Administrator: (hpux.*, *) (company.customauth.*, *)

8.5.3 Configuring Additional Command Authorizations and Privileges

You must define any additional commands that are not provided in the default

configuration. The authorizations needed to run the commands must already exist and

must be assigned to a role. If you have not done this, the command will be configured,

but no user will be appropriately authorized to use the command.

Use the cmdprivadm command to edit a command's authorization and privilege

information. The cmdprivadm command works in a similar fashion to roleadm and

authadm, but only allows addition and removal of a command privilege and

authorization in the privrun database.

The following shows the cmdprivadm command syntax:

cmdprivadm add cmd=full_path_name_of_a_command | full_path_name_of_a_file

|[op=operation]|[object=object]

|[ruid=ruid]|[euid=euid]

|[rgid=rgid]|[egid=egid]

|[compartment=compartment_label]

|[privs=comma_separated_privilege_list]

158 HP-UX Role-Based Access Control