NAME
roleadm — noninteractive editing of role-related information in RBAC databases
SYNOPSIS
roleadm add role
[comments]
roleadm delete role
roleadm modify oldrolename newrolename
roleadm assign user role
roleadm revoke user
[role]
roleadm list
[user=username]
[role=rolename]
[sys]
DESCRIPTION
roleadm
is a noninteractive command that allows users with the appropriate
authorization to modify and list the role information in
/etc/rbac/user_role,
/etc/rbac/role_auth,
and
/etc/rbac/roles.
See
rbac(5)
for information on these RBAC databases.
HP recommends that only the
authadm,
cmdprivadm,
and
roleadm
commands be used to edit and view the RBAC databases.
Do not edit the RBAC files directly.
Options
roleadm
recognizes the following options:
- add role [comments]
Add a role to the system list of valid roles.
Appends a line in
/etc/rbac/roles
file with rolename.
You can enter an optional comment after the role.
- delete role
Remove a role from the system list of valid roles.
If role is present in
/etc/rbac/roles,
remove entry.
If role is not present, then
roleadm
returns an error code; see
RETURN VALUE.
- modify oldrolename newrolename
Change the name of a role.
This option causes a modification of the RBAC databases
(etc/rbac/user_role,
/etc/rbac/role_auth,
and
/etc/rbac/roles),
replacing each occurrence of
oldrolename
with
newrolename.
- assign user role
Assign a role to a user or a group.
First verifies that the user is a valid user, and the role is present in the
/etc/rbac/roles
file.
When this is the case, the role is appended to the
user->role
mapping in the
/etc/rbac/user_role
file.
If user argument has an ampersand at the beginning (such as &users), then it is assumed that what follows after the ampersand is a group name - the ampersand must be shell escaped or put in quotes such as users or "&users".
An administrator may specify a default set of roles by assigning roles to the
DEFAULT
keyword.
If a user is not otherwise explicitly assigned roles in the
/etc/rbac/user_role
database, he or she will be given roles assigned to the
DEFAULT
role.
- revoke user [role]
Revoke a role from the specified user.
If no role is specified,
then all roles are revoked for the given user.
(The user entry is removed from
/etc/rbac/user_role).
If user argument has an ampersand at the beginning (such as &users), then it is assumed that what follows after the ampersand is a group name - the ampersand must be shell escaped or put in quotes such as users or "&users".
list [user=username]
[role=rolename]
[sys]
List user and role information from the RBAC databases,
/etc/rbac/user_role
and
/etc/rbac/roles.
If neither
user=
nor
role=
are specified,
then list all the users with assigned roles.
If
user=username
is specified, then only the role(s) of the specified user
will be listed.
If user has an ampersand at the beginning (such as &users),
then it is assumed that what follows after the ampersand is a group name -
the ampersand must be shell escaped or put in quotes such as users or "&users".
If only
role=rolename
is specified, then only list the user(s) assigned to the specified role.
If both
user=username
and
role=rolename
are specified, then the entry with the user
username
and role
rolename
will be listed, if it exists.
If the specified user does not exist in the system and there exists the special user,
DEFAULT,
in the
/etc/rbac/user_role
database, then the roles listed for the specified user will be those of the
DEFAULT
user.
In the event that there is more than one
DEFAULT
user defined in the
/etc/rbac/user_role
database, the system will recognize only the last one.
If
sys
is specified, then all the roles in the
roles database,
/etc/rbac/roles,
will be listed.
When
sys
is specified, no other argument will be taken by
roleadm.
Authorizations
In order to invoke
roleadm,
the user must either be root, (running with effective uid of 0),
or have the appropriate authorization(s).
The following is a list of the required authorizations for running
roleadm
with particular options:
- hpux.security.access.role.add,*
Allows user to run roleadm with "add" option.
- hpux.security.access.role.delete,*
Allows user to run roleadm with "delete" option.
- hpux.security.access.role.modify,*
Allows user to run roleadm with "modify" option.
- hpux.security.access.role.assign,*
Allows user to run roleadm with "assign" option.
- hpux.security.access.role.revoke,*
Allows user to run roleadm with "revoke" option.
- hpux.security.access.role.list,*
Allows user to run roleadm with "list" option.
EXTERNAL INFLUENCES
Environment Variables
LC_MESSAGES
determines the language in which messages are displayed.
International Code Set Support
Single-byte character code set is supported.
RETURN VALUE
Upon completion,
roleadm
returns one of the following values:
- 0
Success.
- 1
Failure.
An appropiate error message is printed to stderr.
EXAMPLES
The following command will append the line
administrator
to
/etc/rbac/roles
file.
# roleadm add administrator
The following command will append the line
&adm:administrator
to the
/etc/rbac/user_role
file.
# roleadm assign "&adm" administrator
The following command will delete line
accountant
in
/etc/rbac/roles
file and other databases.
# roleadm delete accountant
The following command will delete line
&adm:administrator
from the
/etc/rbac/user_role
file.
# roleadm revoke "&adm" administrator
The following command will replace role name
webAdmin
with
webMaster
in
/etc/rbac/roles,
/etc/rbac/user_role,
and
/etc/rbac/role_auth.
# roleadm modify webAdmin webMaster
The following command will append line
John:administrator
to
/etc/rbac/user_role
file:
# roleadm assign John administrator
The following command will remove the line
John:administrator
from
/etc/rbac/user_role
file:
# roleadm revoke John administrator
The following command will remove all the roles for user
John
from
/etc/rbac/user_role
file:
The following command will remove all the roles for group name
users
from
/etc/rbac/user_role
file:
# roleadm revoke "&users"
The following command will list all the roles for user
Joe:
The following command will list all users and groups with role
sysAdmin:
# roleadm list role=sysAdmin
The following command will list entries with user
Joe
and
rolename
sysAdmin:
# roleadm list user=Joe role=sysAdmin
The following command will list entries with group name
vts
# roleadm list user="&vts"
The following command will list all the entries in
/etc/rbac/user_role
FILES
- /etc/rbac/roles
Database containing valid definitions of all roles.
- /etc/rbac/auths
Database containing definitions of all valid authorizations.
- /etc/rbac/user_role
Database specifying the roles allowed for each specified user.
- /etc/rbac/role_auth
Database that defines the allowed authorization for each specified role.
- /etc/rbac/cmd_priv
Database containing the authorization to execute specified commands
and the privileges to alter uid and gid for command execution.