rbac.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

rbac(5) rbac(5)

The following is a list of the HP-UX RBAC databases are currently provided:

•

/etc/rbac/cmd_priv

• /etc/rbac/roles

• /etc/rbac/auths

• /etc/rbac/user_role

• /etc/rbac/role_auth

There are two HP-UX RBAC database ﬁles which deﬁne valid roles and authorizations. The

/etc/rbac/roles

database deﬁnes valid roles, and the /etc/rbac/auths

database deﬁnes valid

authorizations. The authorizations are speciﬁed in the form of (operation , object )pairs.

Two additional database ﬁles assign roles to users or UNIX groups and authorizations to roles.

/etc/rbac/user_role

maps users or UNIX groups to their assigned role(s).

/etc/rbac/role_auth

deﬁnes a set of authorizations or subroles for each role.

The

/etc/rbac/cmd_priv

database associates commands or ﬁles with authorizations.

The

/etc/rbac/cmd_priv

database associates commands or ﬁles with authorizations.

/etc/rbac/cmd_priv

The

/etc/rbac/cmd_priv

ﬁle contains the required authorizations needed to execute certain com-

mands or edit certain ﬁles. It also has the resulting privileges (real and effective UID and GID, Fine

grained privileges, and compartment) associated with the command. If the user is required to re-

authenticate prior to successful authorization, a PAM service name is speciﬁed in this ﬁle indicating how

privrun or privedit should identify itself to PAM.

The ﬁle contains any number of entries, where each entry is speciﬁed on a single line and in the following

format:

command | ﬁle: arguments :(operation , object ): ruid

/euid

/rgid/egid : compartment : privs : pam

service : ﬂags

These ﬁelds are explained in privrun (1M) and privedit (1M).

There may be multiple entries with the same command line (with different authorizations required and

resulting privileges.)

privrun and privedit evaluate each entry sequentially in the order speciﬁed in

the ﬁle, continuing on to the next entry only if the user does not have the required authorization.

If the user desires a particular entry, they can use command-line options with

privrun or privedit to

specify the set of privileges or authorization for a particular entry. Note that only authorizations can be

speciﬁed to privedit.

See privrun (1M) or privedit (1M) for more information on

/etc/rbac/cmd_priv

database.

/etc/rbac/roles

The

/etc/rbac/roles database contains deﬁnitions of all valid roles in the system. An administrator

must deﬁne new roles in this ﬁle before the roles can be assigned to a user.

The roles are added and removed from the

/etc/rbac/roles ﬁle by authorized users using the

roleadm command (see roleadm(1M)).

The

/etc/rbac/roles database contains any number of entries, where each entry is deﬁned on a sin-

gle line in the following format:

rolename[:comment]

These ﬁelds are deﬁned as follows:

Field Description

rolename The name of a role. For example, administrator, accountant, engineer, manager, etc.

[

:comment] (Optional) Either an optional simple comment or an optional uri to a detailed descrip-

tion of the role.

For example:

administrator:uri=http://www.site.com/adm.html

The following example has just the role name, no comment or optional uri:

SecurityOfficer

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010