Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

151

152

153

154

155

156

157

158

159

160

NOTE: HP-UX RBAC offers the ability to add a special user named DEFAULT to the

/etc/rbac/user_role database. Assigning a role to the DEFAULT user means any

user that does not exist on the system is assigned that role.

8.5.1.3 Assigning Roles to Groups

HP-UX RBAC also enables you to assign roles to groups. You can use the roleadm

command options that use the user value, such as roleadm assign user role

and roleadm revoke user role to administer groups and roles.

Assign, revoke, or list group and role information using the roleadm command by

inserting an ampersand (&) at the beginning of the user value and enclosing the user

value in quotations. The group name value and ampersand (&) must be shell escaped

or enclosed in quotations to be interpreted by roleadm. For example:

# roleadm assign "&groupname" role

8.5.2 Configuring Authorizations

Configuring authorizations is similar to creating and assigning roles. However,

authorizations contain two elements: an operation and an object. The * wildcard—the

most commonly used object—is the implicit object used if you do not specify an object

while invoking the authadm command. In many cases, the object is purposely left

unspecified, so that the operation applies to all objects. Leaving the object unspecified

is often used for authorizations that apply to wrapped commands because it can be

difficult to determine the target of an action from the command name.

An example of this object ambiguity is the /usr/sbin/passwd command. The passwd

command can operate on a number of repositories, for example, the /etc/passwd

file, an NIS table, and an LDAP entry. You cannot determine the actual object by looking

at the command line, so it is typically easiest to require that the user have the operation

on all objects, for example: (hpux.security.passwd.change, *).

NOTE: You can configure a value for the default object. By default, if you do not specify

an object, HP-UX RBAC will use the * wildcard as the object. However, if you have

configured a value for the RBAC_DEFAULT_OBJECT= parameter in

/etc/default/security, HP-UX RBAC will use this value instead of the * wildcard

as the default object.

Use the authadm command to edit authorization information in the HP-UX RBAC

databases. The authadm syntax is similar to the roleadm syntax. Following is the

authadm command syntax:

authadm add operation[object[comments]]

| delete operation[object]

| assign role operation[object]

| revoke [role=name][operation=name[object=name]]

| list [role=name][operation=name[object=name][sys]

8.5 Configuring HP-UX RBAC 157