Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > A

authadm(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

authadm — non-interactive command for administrating the authorization information in the RBAC databases.

SYNOPSIS

authadm add operation [object [comments]]

authadm delete operation [object]

authadm assign role operation [object]

authadm roleassign role subrole

authadm revoke role=name [operation=name [object=name]]

authadm rolerevoke role=name subrole=name

authadm list [role=name] [[operation=name] [object=name]| [subrole=name]]| [sys]

DESCRIPTION

authadm is a non-interactive command that allows users with the appropriate privileges to modify and list authorization information in the /etc/rbac/roles and /etc/rbac/auths RBAC databases files.

HP recommends using only the authadm, cmdprivadm, and roleadm commands to edit and view the RBAC databases -- do not edit the RBAC files without these commands.

See rbac(5) for more information on these RBAC databases.

Options

With the exception of the list option, all options recognize a default object. If the parameter RBAC_DEFAULT_OBJECT is specified with a non-empty value in the security default file, /etc/default/security, then the value of this parameter will be the default object. However, if the parameter RBAC_DEFAULT_OBJECT does not exist or is set to an empty value, then the default object will be set to a wild card (*).

Here is how to specify a value to the RBAC_DEFAULT_OBJECT parameter in /etc/default/security:

RBAC_DEFAULT_OBJECT=value

For example: In /etc/default/security, RBAC_DEFAULT_OBJECT=lj8 sets the default object to lj8. If line RBAC_DEFAULT_OBJECT is not present or is commented out, then the default object will be set to "*".

authadm recognizes the following options:

add operation [object[comments]]

Adds an authorization pair (operation, object) to the system list of valid authorizations by appending a line to the /etc/rbac/auths file.

If object is not specified, then a default object will be assigned. The default object will either be a wild card (*) or the object specified in the security default configuration file, /etc/default/security. A comment may not be specified when adding an entry that refers to the default object in /etc/default/security. The only way to add a comment to an entry with the add option is to specify the object explicitly.

delete operation [object]

Deletes an authorization from the system list of valid authorizations. If object is not specified, then a default object will be assumed. The default object will either be a wild card (*) or the object specified in the security default configuration file, /etc/default/security.

If the authorization exists in /etc/rbac/auths, authadm deletes the entry. If the specified authorization is assigned to any roles in /etc/rbac/role_auth, authadm will remove the authorization from the role. If the specified authorization exists in an entry in /etc/rbac/cmd_priv, authadm will remove the entire entry. If the authorization does not exist in /etc/rbac/auths, authadm returns an error message. See the RETURN VALUE section below for more information.

assign role operation [object]

Assigns an authorization pair (operation, object) to a role. authadm verifies the role exists in /etc/rbac/roles before verifying the authorization pair (operation, object) exists in /etc/rbac/auths. authadm appends the authorization to the role to authorization mapping in /etc/rbac/role_auth if the role and authorization pair exists.

If object is not specified, then a default object will be assigned. The default object will either be a wild card (*) or the object specified in the security default configuration file, /etc/default/security.

roleassign role subrole

Assigns a role to another different role. The role being assigned to the other different role is referred to as a subrole. A subrole is any valid role defined in the /etc/rbac/roles database.

The roleassign option allows hierarchical role definition (one role can inherit other subrole). After assigning a subrole to another role, that role will also have all the authorizations of the subrole, and any of its subroles. More than one subrole can be assigned to other different role. authadm verifies the role and subrole exist in /etc/rbac/roles. It also verifies that there is no recursive definitions of the role and subrole. (If "role1" has a subrole of "role2", and if you try to roleassign "role1" to "role2", this will cause a recursive definition of both "role1" and "role2"). authadm appends the subrole to the role to authorization mapping in /etc/rbac/role_auth.

revoke role=name [operation=name [object=name]]

  • Revokes an authorization from the specified role in /etc/rbac/role_auth. If no authorization is specified, authadm revokes all the authorizations for the given role. If object is not specified, then a default object will be assumed. The default object will either be a wild card (*) or the object specified in the security default configuration file, /etc/default/security.

  • Note: The /etc/rbac/role_auth file will be modified by the authadm revoke command.

rolerevoke role=name subrole=name

  • Revokes a subrole from the specified role in /etc/rbac/role_auth. Note that the role specified as the subrole is not revoked from the database, just the subrole assignment is revoked.

  • For instance, if these entries are in the database:

  • role1: (operation1, object1) role2

  • role2: role3 (operation2, object2), role4

  • authadm revoke role=role1 subrole=role2 will modify the line to:

  • role1: (operation1, object1)

  • role2: role3 (operation2, object2), role4

  • authadm revokes specified the authorizations and/or subrole for the given role.

  • Note: The /etc/rbac/role_auth file will be modified by the authadm rolerevoke command.

authadm list [role=name] [[operation=name] [object=name]| [subrole=name]]| [sys]

  • Invoking the authadm list command without any parameters lists every entry in /etc/rbac/auth_auth. Specifying a role name lists all the authorizations and subroles assigned to that role name. Specifying an operation name lists all the roles witch have that operation name. Specifying a subrole name lists all the roles which have that subrole name. Specifying sys lists all the authorizations in the /etc/rbac/auths database.

Authorizations

In order to invoke authadm, the user must either be root, (running with effective uid of 0), or have the appropriate authorization(s). The following is a list of the required authorizations for running authadm with particular options:

hpux.security.access.auth.add,*

Allows user to run authadm with add option.

hpux.security.access.auth.delete,*

Allows user to run authadmwith delete option.

hpux.security.access.auth.assign,*

Allows user to run authadm with assign or roleassign option.

hpux.security.access.auth.revoke,*

Allows user to run authadm with revoke or rolerevoke option.

hpux.security.access.auth.list,*

Allows user to run authadm with list option.

EXTERNAL INFLUENCES

Environment Variables

LC_MESSAGES determines the language in which messages are displayed.

International Code Set Support

Single-byte character code set is supported.

RETURN VALUE

0

Success.

1

Failure. authadm returns 1 and prints an appropriate error message to stderr.

EXAMPLES

The following commands each add an authorization (operation, object) entry in the /etc/rbac/auths database file:

# authadm add hpux.printer.job.cancel printer6 # authadm add hpux.mount # authadm add hpux.printer.bld3

The following commands each delete an authorization (operation, object) entry from the /etc/rbac/auths database file:

# authadm delete hpux.printer.job.cancel printer6 # authadm delete hpux.printer.bld3

The following commands each assign an authorization (operation, object) pair to a role in /etc/rbac/role_auth database file:

# authadm assign administrator hpux.printer.job.cancel printer6 # authadm assign accountant hpux.db.admin

The following commands each assign a subrole to a role in /etc/rbac/role_auth database file:

# authadm roleassign administrator printAdmin # authadm roleassign administrator diskAdmin

The following commands each revokes an operation for the specified operation from a role in the /etc/rbac/role_auth file:

# authadm revoke role=administrator operation=hpux.printer.job.cancel object=printer6 # authadm revoke role=accountant operation=hpux.db.admin

The following commands each revokes a subrole from the specified role in the /etc/rbac/role_auth database file:

# authadm rolerevoke role=administrator subrole=printAdmin # authadm rolerevoke role=administrator subrole=diskAdmin

The following command lists all the authorizations for the administrator role:

# authadm list role=administrator

The following command lists all the entries with operation hpux.db.admin:

# authadm list operation=hpux.db.admin

The following command lists all the entries with object /etc/passed.

# authadm list object=/etc/passwd

The following command lists all the roles with their authorizations in /etc/rbac/auths database:

# authadm list sys

FILES

/etc/rbac/roles

Database containing valid definitions of all roles.

/etc/rbac/auths

Database containing definitions of all valid authorizations.

/etc/rbac/user_role

Database specifying the roles allowed for each specified user.

/etc/rbac/role_auth

Database defining the authorizations for each specified role.

SEE ALSO

cmdprivadm(1M), privrun(1M), rbacdbchk(1M), roleadm(1M), rbac(5).



audusr
  		 


authck  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.