Administrator's Guide
Table 8-1 Example of Authorizations Per User (continued)
UsersOperation Component of
Authorization
•hpux.network.nfs.stop
•hpux.network.nfs.config
••hpux.fs.backup
••hpux.fs.restore
NOTE: Table 8-1 shows only the operation element of the authorizations—not the object
element of the authorizations.
8.2.1 Simplifying Access Control with Roles
In addition to the basic principals of access control discussed in the preceding overview,
this section addresses how access control policy is represented and how decisions are
made.
The preceding overview of access control does not address how access control policy
is represented and how decisions are made. One approach is to simply maintain a list
of users and the authorizations (operation, object pairs) assigned to each of them. This
approach has the advantage of being flexible, because each user's set of authorizations
can be completely different from those of the other users.
Unfortunately, this approach is also difficult to manage because as you add users, you
must determine exactly which authorizations each user requires. Also, when performing
audits, you must examine each user individually to determine his or her associated
authorizations.
HP-UX RBAC addresses these issues by grouping users with common authorization needs
into roles. Roles serve as a grouping mechanism to simplify authorization assignment
and auditing. Rather than assigning an authorization directly to a user, you assign
authorizations to roles. As you add users to the system, you assign them a set of roles,
which determine the actions they can perform and the resources they can access.
Compare Table 8-2, which lists authorizations assigned to roles, with Table 8-1, which
lists authorizations assigned to each user. By comparing these two tables, you can see
how roles simplify authorization assignment.
Table 8-2 Example of Authorizations Per Role
RoleOperation Component of
Authorization
AdminBackupOperNetworkAdminUserAdmin
••hpux.user.add
8.2 Access Control Basics 145