Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
141142143144145146147148149150
HP-UX RBAC offers the following features:
Predefined configuration files specific to HP-UX, for a quick and easy deployment
Flexible re-authentication via Plugable Authentication Module (PAM), to allow
restrictions on a per command basis
Integration with HP-UX audit system, to produce a single, unified audit trail
Pluggable architecture for customizing access control decisions
8.2 Access Control Basics
The goal of an access control system is to limit access to resources based on a set of
constraints. Typically, these constraints and their associated attributes fit into the following
categories:
Subject: The entity attempting to access the resource. In the context of an operating
system, the subject is commonly a user or a process associated with a user.
Operation: An action performed on a resource. An operation can correspond directly
to an application or a command. In the case of HP-UX RBAC, the operation is a
dot-separated, hierarchical string, such as hpux.user.add.
Object: The target of the operation, which is often the same as the end resource,
but which can be different.
An access control request can be thought of as a question combining the previous
elements, where the response to the question (usually allow or deny) determines whether
access to the resource is granted. For example:
Is the user ron authorized to perform the operation hpux.fs.mount on the
object/dev/dsk/c0t1d0?
Often, the term authorization is used as a synonym for access control. In HP-UX RBAC,
authorization refers to the ability to perform an operation on an object. As shown in
Table 8-1, a user can have a set of authorizations, each of which allows access to a
resource.
Table 8-1 Example of Authorizations Per User
UsersOperation Component of
Authorization
lizjimlisaron
hpux.user.add
hpux.user.delete
hpux.user.modify
hpux.user.password.modify
hpux.network.nfs.start
144 HP-UX Role-Based Access Control