rbac.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

rbac(5) rbac(5)

A subrole is just another role with authorizations. When a subrole is assigned to a role, the role inherits

all the authorizations of the subrole. The subrole name must be deﬁned in the

/etc/rbac/roles

database ﬁle. No recursive role deﬁnition is permitted. For example, if "role1" has a subrole of "role2",

and if users roleassign "role1" to "role2", this will cause a recursive deﬁnition of both "role1" and

"role2", and the

roleassign command will fail.

Authorized users can use the

authadm command to specify the authorizations and/or subroles for each

role in /etc/rbac/role_auth

(Refer to authadm (1M) for more information).

All authorizations and/or subroles associated with a role must be speciﬁed in a single entry. This entry

can be more than one line; however, each individual authorization pair must not exceed one line. Lines

that begin with alphanumeric characters followed by semicolons (:) are considered new entries. The

entries are in the following format:

role: (operation , object ) subrole...

role: (operation , object )...

role: subrole (operation , object )...

role: subrole subrole...

These ﬁelds are deﬁned as follows:

Field Description

role A valid role, as deﬁned in

/etc/rbac/roles

operation A speciﬁc operation that can be performed on an object. For example,

hpux.printer.add

is the operation of adding a printer. Or, hpux.printer.* is

the operation of either adding or deleting a printer.

object The object the user can access. If

* is speciﬁed, all objects can be accessed by the

operation.

More than one (operation , object ) pair may be speciﬁed for a role.

subrole A valid role, as deﬁned in

/etc/rbac/roles

. It is assigned to another role.

The following line states that the role of

SecurityOfficer

has authorization of

(

hpux.passwd, /etc/passwd) which means that the operation, hpux.passwd, can access the

object, /etc/passwd. SecurityOfficer

also has the ability to add and delete system users.

SecurityOfficer: (hpux.passwd, /etc/passwd)

(hpux.user.add, *)

(hpux.user.del, *)

The

PrinterAdm has authorization to perform

hpux.printer.add on all objects.

PrinterAdm: (hpux.printer.add, *)

The Administrator has subroles SecurityOfﬁcer and PrinterAdm, and therefore, has all the authorizations

of both subroles as shown in the preceding examples.

Administrator: SecurityOfficer PrinterAdm

/etc/rbac/aud_ﬁlter

The

/etc/rbac/aud_filter ﬁle deﬁnes role and authorization audit ﬁltering. Audit records will be

generated for users whose role and associated authorization is found in this ﬁle. If a user’s role and asso-

ciated authorization is not found in the ﬁle, then no audit records speciﬁc to role and authorization will be

generated. Each authorization is speciﬁed in the form of operation, object pairs.

Authorized users (as speciﬁed in

/etc/rbac/cmd_priv database ﬁle) can edit

/etc/rbac/aud_filter to specify the role and authorization to be audited.

All authorizations associated with a role must be speciﬁed in a single entry. Only one authorization may

be speciﬁed per role. The entries are of the following format:

role

, operation , object

These ﬁelds are deﬁned as follows:

Field Description

4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010