HP UX 11i Role-based Access Control (RBAC) Software manual HP-UX Rbac Components

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 29
Image 29
privilege shells
RBAC System Management Homepage
privrun wrapper command
privedit command

HP-UX RBAC addresses these issues by grouping users with common authorization needs into roles. Roles serve as a grouping mechanism to simplify authorization assignment and auditing. Rather than assigning an authorization directly to a user, you assign authorizations to roles. As you add users to the system, you assign them a set of roles, which determine the actions they can perform and the resources they can access.

Compare Table 3-2 “Example of Authorizations Per Role”, which lists authorizations assigned to roles, to Table 3-1 “Example of Authorizations Per User”, which lists the authorizations assigned to each user. By comparing these two tables, you can see how roles simplify authorization assignment.

Table 3-2 Example of Authorizations Per Role

Operation Component of Authorization

Role

 

 

 

 

UserAdmin

NetworkAdmin

BackupOper

Admin

hpux.user.add

 

 

hpux.user.delete

 

 

hpux.user.modify

 

 

hpux.user.password.modify

 

 

 

hpux.network.nfs.start

 

 

hpux.network.nfs.stop

 

 

hpux.network.nfs.config

 

 

hpux.fs.backup

 

 

hpux.fs.restore

 

 

NOTE: Table 3-2 “Example of Authorizations Per Role” shows only the operation element of the authorizations—not the object element of the authorization.

NOTE: HP-UX RBAC B.11.23.02 and higher versions also allow UNIX groups to be assigned to roles. Refer to “Assigning Roles to Groups” for more information.

HP-UX RBAC Components

The following is a list of the primary HP-UX RBAC components:

Privilege shells (privsh, privksh, and privcsh) that allow a non-root user to automatically invoke privrun when needed by simply configuring a privilege shell as their default shell.

Integration with HP System Management Homepage (SMH), allowing for the management of local RBAC roles, authorizations, and commands through the Web interface of SMH Version 2.2 and higher.

Based on authorizations associated with a user, privrun invokes existing legacy applications with privileges after performing authorization checks and optionally re-authenticating the user and without modifying the application.

Based on the authorizations associated with a user, privedit allows users to edit files they usually would not be able to edit because of file permissions or Access Control Lists (ACL).

HP-UX RBAC Components 29

Page 29
Image 29
HP UX 11i Role-based Access Control (RBAC) Software manual HP-UX Rbac Components, Example of Authorizations Per Role