rbac.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

rbac(5) rbac(5)

NAME

rbac: RBAC - role-based access control

DESCRIPTION

RBAC (Role-Based Access Control) is an alternative to the all-or-nothing security model of traditional

root user-based systems. With RBAC, an administrator can assign roles to non-root users or UNIX

groups. Each role has authorizations composed of an operation and object, where the operation is an

action that can be performed on an object, and the object is an object the user can access with a given

operation. HP-UX RBAC database ﬁles are installed in the

/etc/rbac directory.

The following is a list of the HP-UX RBAC commands, presented in the sequence they are typically used:

roleadm Creates and manages role-related information in the

roles, user_role, and

role_auth databases.

authadm Creates and manages authorization information in the

auths, role_auth, and

cmd_priv databases.

cmdprivadm Creates and manages a command’s authorization and privilege information in the

cmd_priv database.

rbacdbchk Veriﬁes the syntax and cross references between of all the HP-UX RBAC databases and

performs cross reference checks between all the RBAC databases.

privrun Executes privileged commands for users with proper authorizations.

privedit Allows users with the proper authorization to invoke an editor for editing restricted ﬁles.

The following are the main steps in conﬁguring roles and authorizations are:

1. Create roles using the

roleadm command. The roles are added to the

/etc/rbac/roles data-

base.

2. Add authorizations using the

authadm command. The authorizations are added to the

/etc/rbac/auths database.

3. Assign authorizations or subroles to the roles using the

authadm command. The roles, subroles and

authorizations are added to the

/etc/rbac/role_auth database.

4. Associate users or UNIX groups to roles using the

roleadm command. The users or groups and their

corresponding roles are added to the

/etc/rbac/user_role

database.

5. Deﬁne the commands or ﬁles to edit that will be associated with authorizations using the

cmdprivadm command. The commands are added to the /etc/rbac/cmd_priv

database.

6. Check the databases using the

rbacdbchk command.

7. The authorized user can then either run privileged commands using the

privrun

wrapper command

or edit restricted ﬁles using the

privedit wrapper command.

The

privrun wrapper command determines what authorization is required for a given command. This

authorization-command information is deﬁned in the /etc/rbac/cmd_priv

database ﬁle. privrun

consults the roles and auths database ﬁles to decide whether the user calling privrun has the neces-

sary authorization based on the roles assigned to the user directly or indirectly via a UNIX group.

See privrun (1M) for details on the

privrun command, and refer to the /etc/rbac/cmd_priv section

in privrun (1M) for information about the

cmd_priv database ﬁle.

The

privedit wrapper command works similarly to the privrun command by determining the

required authorization needed to edit a given ﬁle. This authorization-ﬁle information is deﬁned in the

/etc/rbac/cmd_priv database ﬁle. privedit consults the roles and auths database ﬁles and

decides whether the user calling privedit has the necessary authorization to edit the ﬁle based on the

roles assigned to the user directly or indirectly via UNIX group.

See privedit (1M) for details on the

privedit command, and refer to the /etc/rbac/cmd_priv sec-

tion in privedit (1M) for information about the cmd_priv database ﬁle.

DATABASES

In each of the HP-UX RBAC databases, white space is ignored within an entry. (This excludes the new-

line (\n) character, which is used as a record separator.)

All of the ﬁelds in the HP-UX RBAC databases are case sensitive.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
rbac(5) rbac(5) NAME rbac: RBAC - role-based access control DESCRIPTION RBAC (Role-Based Access Control) is an alternative to the all-or-nothing security model of traditional root user-based systems. With RBAC, an administrator can assign roles to non-root users or UNIX groups. Each role has authorizations composed of an operation and object, where the operation is an action that can be performed on an object, and the object is an object the user can access with a given operation.
PAGE 2
rbac(5) rbac(5) The following is a list of the HP-UX RBAC databases are currently provided: • • • • • /etc/rbac/cmd_priv /etc/rbac/roles /etc/rbac/auths /etc/rbac/user_role /etc/rbac/role_auth There are two HP-UX RBAC database files which define valid roles and authorizations. The /etc/rbac/roles database defines valid roles, and the /etc/rbac/auths database defines valid authorizations. The authorizations are specified in the form of (operation , object ) pairs.
PAGE 3
rbac(5) rbac(5) /etc/rbac/auths The /etc/rbac/auths database contains definitions of all valid authorizations in the form of (operation , object ) pairs in the system. An administrator must define new (operation , object ) pairs in this file before the (operation , object ) pairs can be assigned to a role. The authorizations are added and removed from the /etc/rbac/auths file by authorized users using the authadm command (see authadm (1M)).
PAGE 4
rbac(5) rbac(5) A subrole is just another role with authorizations. When a subrole is assigned to a role, the role inherits all the authorizations of the subrole. The subrole name must be defined in the /etc/rbac/roles database file. No recursive role definition is permitted. For example, if "role1" has a subrole of "role2", and if users roleassign "role1" to "role2", this will cause a recursive definition of both "role1" and "role2", and the roleassign command will fail.
PAGE 5
rbac(5) rbac(5) role A valid role, as defined in /etc/rbac/roles. operation A specific operation that can be performed on an object. For example, hpux.printer.add is the operation of adding a printer. Or, hpux.printer.* is the operation of either adding or deleting a printer. object The object the user can access. If * is specified, all objects can be accessed by the operation.
PAGE 6
rbac(5) rbac(5) AUDITING These commands, privrun (1M), roleadm (1M), authadm (1M) and cmdprivadm(1M) all generate audit records. The audit records include a caller’s username, UID, role, authorizations, object, time of the event, success or failure of the event, etc. You can provide an audit filter database file (/etc/rbac/aud_filter) which allows a user to specify the role and the authorization (operation , object ) to be audited.