|
|
|
google unix.com
|
|||||||
| Forums | Register | Forum Rules | Links | Albums | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| AIX AIX is IBM's industry-leading UNIX operating system that meets the demands of applications that businesses rely upon in today's marketplace. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Unix Rbac | JPoroo | UNIX for Dummies Questions & Answers | 4 | 09-17-2008 08:09 AM |
| Automating RBAC with IF/Then statement | deaconf19 | Shell Programming and Scripting | 0 | 11-15-2007 03:20 AM |
| RBAC Help | deaconf19 | SUN Solaris | 4 | 11-14-2007 04:59 AM |
| Rbac | chrisdberry | SUN Solaris | 0 | 02-27-2007 05:47 AM |
| RBAC logging | geomonap | UNIX for Advanced & Expert Users | 0 | 02-15-2006 04:27 PM |
 |
Powered by 
|
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
|
|
06-06-2008
|
||||
|
||||
|
RBAC in 5.3 Question
I would like to use the Role Based access control to granulize some of the administration of AIX systems in our organization. Across the company we will be using aix 5.3. One of these roles will only have the access to make, change and delete users, something similar to ManageAllUsers. The thing that I dont understand about RBAC in aix 5.3 is that in order to make this work, I have to assign both the secuity group and the role to the user, lets call him ‘groucho’. My big question is, if I add groucho to the security group, he will be able to run the mkuser, rmuser, and chuser commands with or without the ManageAllUsers (or ManageBasicUsers) Role. So my question is what good is the Role at all? If I add the proper group membership, it not only gives access to run these commands, but possibly even some commands that I don’t want authorized.
|
|
06-09-2008
|
||||
|
||||
|
Perhaps if I elaborate a little bit. I have user one 'groucho' and a second user 'karl' . I want groucho to be a user admin, with the ability to create, change, and delete user accounts. I assign him the role of ManageAllUsers and the required security group. I want Karl to be able to manage Roles, I assign Karl the ManageRoles group and the security group. I do not want groucho to be able to change, create, or delete roles. However, once I've given the group membership to groucho the command
$smit mkrole allows me to run no problem (when Ideally he would only be able to administer user type commands) consequently, if i run $smit user from Karl's account, I can also create and delete users. Neither of these Roles give any kind of benefit if they are not coupled with the secondary group membership 'security', however it seems that if I remove the roles from both users, and simply leave the security group in place, they have the same access permissions... No more, No less. Is this the way that RBAC is supposed to work in aix 5.3? I have read quite a bit about the features of ERBAC in 6.1 and I'm wondering if that is the only way to achieve the amount of granularity that I require. Can someone offer any insights? |
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Hybrid Mode
