rbac.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

rbac(5) rbac(5)

/etc/rbac/auths

The /etc/rbac/auths

database contains deﬁnitions of all valid authorizations in the form of

(operation , object ) pairs in the system. An administrator must deﬁne new (operation , object ) pairs in

this ﬁle before the (operation , object ) pairs can be assigned to a role.

The authorizations are added and removed from the

/etc/rbac/auths

ﬁle by authorized users using

the

authadm command (see authadm(1M)).

The

/etc/rbac/auths

database contains any number of entries, where each entry is deﬁned on a sin-

gle line in the following format:

(

operation, object)[:comment

]

These ﬁelds are deﬁned as follows:

Field Description

operation Denotes an action that can be performed on an object. For example,

hpux.printer.add

is the operation of adding a printer.

hpux.printer.delete

is the operation of deleting a printer.

object The object the user can access with a given operation. If

* is speciﬁed, all objects can

be accessed by the operation.

[

:comment] (Optional) Either an optional simple comment or an optional uri to a detailed descrip-

tion of the role.

For example:

(hpux.printer.add, bldg7printer): Add printers in building 7

(hpux.printer.delete, *): uri=http://foo.bar.com/printerauths.htm

(hpux.fs.backup, /dev/rdsk/c0t1d0): Backup physical disk 1

Note: The operations speciﬁed in /etc/rbac/auths

ﬁle must be fully-qualiﬁed and cannot use wild-

cards; however, the objects can be be speciﬁed with a wildcard using the asterisk character (

*). Authori-

zations that contain wildcard operations are validated using a match operation. At least one operation

must match the wildcard to assign the authorization to the role.

/etc/rbac/user_role

The

/etc/rbac/user_role

database deﬁnes the roles allowed for each speciﬁed user or UNIX group.

The user to role deﬁnitions are added and removed in the

/etc/rbac/user_role

ﬁle by authorized

users using the

roleadm command (see roleadm(1M)).

The

/etc/rbac/user_role

database contains any number of entries, where each entry is deﬁned on

a single line in the following format:

user-name |

&group-name : role[,role...]

These ﬁelds are used as follows:

Field Description

user-name | &group-name

A valid user name or UNIX group name. Group names must begin with the ampersand

(&).

role A valid role name deﬁned in

/etc/rbac/roles. More than one role may be

speciﬁed for a user or group, if they separated by commas.

The example below shows that user

Michael has roles of an administrator and a programmer. Also, it

shows user Jenny has the SecurityOfficer role assigned. Lastly, it shows that the UNIX group

users has the RegularUser role assigned:

# roleadm list

Michael: Administrator, Programmer

Jenny: SecurityOfficer

&users: RegularUser

/etc/rbac/role_auth

The /etc/rbac/role_auth ﬁle deﬁnes the authorizations and/or subroles for each speciﬁed role.

Each authorization is speciﬁed in the form of (operation , object ) pairs. The authorization pairs are

deﬁned in the /etc/rbac/auths database ﬁle.

HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3