Manuals / HP / Computer Equipment / Software

HP UX 11i Role-based Access Control (RBAC) Software manual

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 38
Image 38
add delete
assign revoke list

commands because it can be difficult to determine the target of an action from the command name.

An example of this object ambiguity is the /usr/sbin/passwd command. The passwd command can operate on a number of repositories, for example, the /etc/passwd file, an NIS table, and an LDAP entry. You cannot determine the actual object by looking at the command line, so it is typically easiest to require that the user have the operation on all objects, for example:

(hpux.security.passwd.change, *).

NOTE: You can configure a value for the default object. By default, if you do not specify an object, HP-UX RBAC will use the * wildcard as the object. However, if you have configured a value for the RBAC_DEFAULT_OBJECT= parameter in /etc/default/security, HP-UX RBAC will use this value instead of the * wildcard as the default object.

Use the authadm command to edit authorization information in the HP-UX RBAC databases. The authadm syntax is similar to the roleadm syntax. The following is the authadm command syntax:

authadm add operation[object[comments]] delete operation[object]

assign role operation[object]

revoke [role=name][operation=name[object=name]] list [role=name][operation=name[object=name][sys]

The following is a list and brief description of the authadm command arguments:

Adds an authorization to the system list of valid authorizations in /etc/rbac/auths. Deletes an authorization from the system list of valid authorizations in /etc/rbac/auths.

Assigns an authorization to a role and adds an entry to /etc/rbac/role_auth. Revokes an authorization from a role and updates /etc/rbac/role_auth. Lists valid authorizations per system or role, and lists roles associated with the specified operation.

IMPORTANT: Be aware that when you assign an authorization that contains the asterisk * character, you must surround the wildcard character with quotation marks to prevent shell interpretation, as shown in the following examples.

The following are examples of authorization creation and assignment based on Table 3-6 “Example Planning Results”:

#authadm add 'company.customauth.*' authadm added auth: (company.customauth.*,*)

#authadm assign Administrator 'company.customauth.*' authadm added auth for role Administrator

Use the list argument with the authadm command to verify the authorization assignment, for example:

# authadm list

Administrator: (hpux.*, *) (company.customauth.*, *)

Step 3: Configuring Additional Command Authorizations and Privileges

Define any additional commands that are not provided in the default configuration. You must have already created the authorizations needed to run the commands and assigned them to a role. If you have not done this, the command will be configured, but no user will be appropriately authorized to use the command.

38 HP-UX Role-Based Access Control

Page 37 Page 39
Page 38
Image 38
HP UX 11i Role-based Access Control (RBAC) Software manual Configuring Additional Command Authorizations and Privileges
Page 37 Page 39