Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: RBAC in 5.3 Question
Operating Systems AIX RBAC in 5.3 Question Post 302203665 by dgaixsysadm on Monday 9th of June 2008 01:26:31 PM
Old 06-09-2008
Perhaps if I elaborate a little bit. I have user one 'groucho' and a second user 'karl' . I want groucho to be a user admin, with the ability to create, change, and delete user accounts. I assign him the role of ManageAllUsers and the required security group. I want Karl to be able to manage Roles, I assign Karl the ManageRoles group and the security group. I do not want groucho to be able to change, create, or delete roles. However, once I've given the group membership to groucho the command
$smit mkrole
allows me to run no problem (when Ideally he would only be able to administer user type commands)
consequently, if i run
$smit user
from Karl's account, I can also create and delete users. Neither of these Roles give any kind of benefit if they are not coupled with the secondary group membership 'security', however it seems that if I remove the roles from both users, and simply leave the security group in place, they have the same access permissions... No more, No less. Is this the way that RBAC is supposed to work in aix 5.3? I have read quite a bit about the features of ERBAC in 6.1 and I'm wondering if that is the only way to achieve the amount of granularity that I require.

Can someone offer any insights?
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

RBAC logging

Hi gurus: I have not come accross any links on the internet that shows how to set up logging in RBAC and also is it possible to get the granularity and simplicity of sudo logging in RBAC. I have heard that RBAC logs are complicated to read and not as simple and granular as sudo logs. Your help... (0 Replies)
Discussion started by: geomonap
0 Replies

2. Solaris

Rbac

I am trying to let user asillitoe su to the godbrook role to execute commands. I have editted files as follows: user_attr: asillito::::type=normal;roles=godbrook godbrook::::type=role;profiles=Gadbrook,All prof_attr: Gadbrook:::Allow root commands to be used by godbrook: exec_attr:... (0 Replies)
Discussion started by: chrisdberry
0 Replies

3. Solaris

RBAC Help

do i have to create a new account to add a role? i want the sysadmin login i have 3 users on my systems sysadmin secman oc01 also 3 profiles SA (goes t0 sysadmin account) SSO (goes to secman account) LMICS (goes to oc01 account) the user accounts are located in /h/USERS/local the... (4 Replies)
Discussion started by: deaconf19
4 Replies

4. Shell Programming and Scripting

Automating RBAC with IF/Then statement

what would be easier to automate a script if/then ? (0 Replies)
Discussion started by: deaconf19
0 Replies

5. UNIX for Dummies Questions & Answers

Unix Rbac

Can anyone help me on "How to change Unix to support RBAC policy"? (4 Replies)
Discussion started by: JPoroo
4 Replies

6. Linux

Sudo user vs RBAC

Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies

7. Solaris

rbac problem.

Hi all! On backup server with contab my script worked, but one command don't fine to be executed: bash-3.00$ scp itadmin@172.17.0.44:/export/backups/* /bckp1/opencms/bcp_`date +%Y%m%d`/ www-zone.cfg 100%... (0 Replies)
Discussion started by: sotich82
0 Replies

8. Solaris

RBAC related question.....

I am referring Bill Calkins(SCSA exam prep) for RBAC..actually i wanted to make a normal user to get the privilege to run a command through authorization, not through profile files... This is the exact steps given by Bill calkins.. 1.roleadd -m -d /export/home/adminusr -c... (11 Replies)
Discussion started by: saagar
11 Replies

9. HP-UX

RBAC question

hi every one i tried rbac and i made 1- role called GizaRoot 2- group called gizagroup 3- added privlage autherization called "m.k" /usr/sbin/useradd:dflt:(m.k,*):0/0//:dflt:dflt:dflt: i assigned the role to group and add user to that group then su to user and tried to use the command ... (0 Replies)
Discussion started by: maxim42
0 Replies

10. AIX

RBAC and LDAP users (AD)

Hello everyone, I am having trouble with something, and I can't find the right answer online. On our company, we are using LDAP Authentication with Active Directory (Windows 2008 Servers) to have a centralized management of AIX 7.1 users. So far so good, but now, we want to implement RBAC on... (7 Replies)
Discussion started by: Janpol
7 Replies

LEARN ABOUT HPUX

roles

roles(1)                                                           User Commands                                                          roles(1)

NAME

       roles - print roles granted to a user

SYNOPSIS

       roles [ user ...]

DESCRIPTION

       The  command  roles  prints  on  standard  output  the roles that you or the optionally-specified user have been granted. Roles are special
       accounts that correspond to a functional responsibility rather than to an actual person (referred to as a normal user).

       Each user may have zero or more roles. Roles have most of the attributes of normal users and are identified like normal users in  passwd(4)
       and  shadow(4). Each role must have an entry in the user_attr(4) file that identifies it as a role. Roles can have their own authorizations
       and profiles. See auths(1) and profiles(1).

       Roles are not allowed to log into a system as a primary user. Instead, a user must log in as him-- or herself  and  assume  the  role.  The
       actions of a role are attributable to the normal user. When auditing is enabled, the audited events of the role contain the audit ID of the
       original user who assumed the role.

       A role may not assume itself or any other role. Roles are not hierarchical. However, rights profiles (see  prof_attr(4))  are  hierarchical
       and can be used to achieve the same effect as hierarchical roles.

       Roles must have valid passwords and one of the shells that interprets profiles: either pfcsh, pfksh, or pfsh. See pfexec(1).

       Role assumption may be performed using su(1M), rlogin(1), or some other service that supports the PAM_RUSER variable. Successful assumption
       requires knowledge of the role's password and membership in the role. Role assignments are specified in user_attr(4).

EXAMPLES

       Example 1: Sample output

       The output of the roles command has the following form:

       example% roles tester01 tester02
       tester01 : admin
       tester02 : secadmin, root
       example%

EXIT STATUS

       The following exit values are returned:

       0        Successful completion.

       1        An error occurred.

FILES

       /etc/user_attr

       /etc/security/auth_attr

       /etc/security/prof_attr

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Availability                 |SUNWcsu                      |
       +-----------------------------+-----------------------------+

SEE ALSO

       auths(1), pfexec(1), profiles(1), rlogin(1), su(1M), getauusernam(3BSM), auth_attr(4), passwd(4),  prof_attr(4),  shadow(4),  user_attr(4),
       attributes(5)

SunOS 5.10                                                          14 Feb 2001                                                           roles(1)
All times are GMT -4. The time now is 05:17 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy