Manuals / HP / Computer Equipment / Software

HP UX 11i Role-based Access Control (RBAC) Software manual Example 3-1 The authadm Command Syntax

Models: UX 11i Role-based Access Control (RBAC) Software

1 84
Download 84 pages 13.76 Kb
Page 41
Image 41

Table 3-8 Example Roles Configuration Using Hierarchical Roles in HP-UX RBAC B.11.23.03

Role

Authorizations

Administrator

UserOperator

 

NetworkOperator

 

(hpux.security.*, *)

UserOperator

(hpux.user.*, *)

NetworkOperator

NetworkServiceOperator

 

(hpux.network.device.*, *)

NetworkServiceOperator

(hpux.network.service.*, *)

Changes to the authadm Command for Hierarchical Roles

In HP-UX RBAC B.11.23.03 the authadm command, which edits authorization information in the /etc/rbac/role_auth and /etc/rbac/roles database files, includes new sub-commands and options to support hierarchical roles. Specifically, authadm now supports the roleassign and rolerevoke subcommands, and also supports the subrole option to the list subcommand, as shown in the following:

Example 3-1 The authadm Command Syntax

authadm roleassign role subrole

authadm rolerevoke role=<rolename> subrole=<rolename> authadm list subrole=<subrole_name>

NOTE: See authadm(1m) for complete information about the authadm command.

For examples of the new authadm roleassign subcommand for hierarchical roles, consider the information in previous tables. Instead of using authadm to assign each authorization individually to the roles in Table 3-8 (page 41), you can directly assign the sub-roles using the following authadm commands (assuming the roles are already created and the authorizations have been assigned to them):

Example 3-2 Example of the authadm Command Usage

#authadm roleassign Administrator UserOperator

#authadm roleassign Administrator NetworkOperator

#authadm roleassign NetworkOperator NetworkServiceOperator

NOTE: As authorizations are added or removed from the sub-role, for example, UserOperator in the previous examples, the parent role also inherits the addition or removal of that authorization.

Hierarchical Roles Considerations

Be aware that when you use hierarchical roles you will experience a minor performance penalty. Specifically, each time an entry that references another role is read, the entry defining that role must also be retrieved. This can become an issue when there is a long line of roles referencing other roles. For example, if you view role relationships as a tree, the higher the tree, the greater the performance penalty you will experience. However, you can avoid this minor performance penalty by simply assigning authorizations directly to the role, rather than using a sub-role. HP recommends limiting the role depth to three to five roles.

Configuring HP-UX RBAC 41

Page 40 Page 42
Page 41
Image 41
HP UX 11i Role-based Access Control (RBAC) Software manual Changes to the authadm Command for Hierarchical Roles
Page 40 Page 42