Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: rbac problem.
Operating Systems Solaris rbac problem. Post 302254760 by sotich82 on Wednesday 5th of November 2008 05:29:53 AM
Old 11-05-2008
rbac problem.
Hi all!
On backup server with contab my script worked, but one command don't fine to be executed:

Code:
bash-3.00$ scp itadmin@172.17.0.44:/export/backups/* /bckp1/opencms/bcp_`date +%Y%m%d`/
www-zone.cfg         100% |**********************************************************************************************************|   299       00:00
scp: /export/backups/www-zone_20081105.ufsdump: Permission denied

On that 172.17.0.44 for user itadmin:

Code:
bash-3.00$ cat /etc/user_attr
#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# /etc/user_attr
#
# execution attributes for profiles. see user_attr(4)
#
#ident  "@(#)user_attr  1.1     07/01/31 SMI"
#
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
postgres::::type=role;profiles=Postgres Administration,All
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no
tomcat::::type=normal;defaultpriv=basic,net_privaddr
itadmin::::profiles=Primary Administrator

Please help about that roles, i dont't understand this framework.Smilie
Last edited by DukeNuke2; 11-05-2008 at 04:31 PM.. Reason: added code tags for better reading
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

RBAC logging

Hi gurus: I have not come accross any links on the internet that shows how to set up logging in RBAC and also is it possible to get the granularity and simplicity of sudo logging in RBAC. I have heard that RBAC logs are complicated to read and not as simple and granular as sudo logs. Your help... (0 Replies)
Discussion started by: geomonap
0 Replies

2. Solaris

Rbac

I am trying to let user asillitoe su to the godbrook role to execute commands. I have editted files as follows: user_attr: asillito::::type=normal;roles=godbrook godbrook::::type=role;profiles=Gadbrook,All prof_attr: Gadbrook:::Allow root commands to be used by godbrook: exec_attr:... (0 Replies)
Discussion started by: chrisdberry
0 Replies

3. Solaris

RBAC Help

do i have to create a new account to add a role? i want the sysadmin login i have 3 users on my systems sysadmin secman oc01 also 3 profiles SA (goes t0 sysadmin account) SSO (goes to secman account) LMICS (goes to oc01 account) the user accounts are located in /h/USERS/local the... (4 Replies)
Discussion started by: deaconf19
4 Replies

4. Shell Programming and Scripting

Automating RBAC with IF/Then statement

what would be easier to automate a script if/then ? (0 Replies)
Discussion started by: deaconf19
0 Replies

5. AIX

RBAC in 5.3 Question

I would like to use the Role Based access control to granulize some of the administration of AIX systems in our organization. Across the company we will be using aix 5.3. One of these roles will only have the access to make, change and delete users, something similar to ManageAllUsers. The thing... (1 Reply)
Discussion started by: dgaixsysadm
1 Replies

6. UNIX for Dummies Questions & Answers

Unix Rbac

Can anyone help me on "How to change Unix to support RBAC policy"? (4 Replies)
Discussion started by: JPoroo
4 Replies

7. Linux

Sudo user vs RBAC

Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies

8. HP-UX

RBAC question

hi every one i tried rbac and i made 1- role called GizaRoot 2- group called gizagroup 3- added privlage autherization called "m.k" /usr/sbin/useradd:dflt:(m.k,*):0/0//:dflt:dflt:dflt: i assigned the role to group and add user to that group then su to user and tried to use the command ... (0 Replies)
Discussion started by: maxim42
0 Replies

9. AIX

Disable RBAC - AIX

Hi all, i have a little problem... I have a Trusted AIX v. 6.1 installed on my system p. I can't disable RBAC mode... $ lsattr -El sys0 -a enhanced_RBAC enhanced_RBAC true Enhanced RBAC Mode True $ chdev -l sys0 -a enhanced_RBAC=false Method error (/usr/lib/methods/chggen): 0514-018... (3 Replies)
Discussion started by: Zio Bill
3 Replies

10. AIX

RBAC and LDAP users (AD)

Hello everyone, I am having trouble with something, and I can't find the right answer online. On our company, we are using LDAP Authentication with Active Directory (Windows 2008 Servers) to have a centralized management of AIX 7.1 users. So far so good, but now, we want to implement RBAC on... (7 Replies)
Discussion started by: Janpol
7 Replies

LEARN ABOUT OPENDARWIN

smf_security

smf_security(5)                                         Standards, Environments, and Macros                                        smf_security(5)

NAME

       smf_security - service management facility security behavior

DESCRIPTION

       The configuration subsystem for the service management facility, smf(5), requires privilege to modify the configuration of a service. Priv-
       ileges are granted to a user by associating the authorizations described below to the user  through  user_attr(4)  and  prof_attr(4).   See
       rbac(5).

       The following authorization is used to manipulate services and service instances.

       solaris.smf.modify      Authorized to add, delete, or modify services, service instances, or their properties.

   Property Group Authorizations
       The smf(5) configuration subsystem associates properties with each service and service instance. Related properties are grouped. Groups may
       represent an execution method, credential information, application data, or restarter state. The  ability  to  create  or  modify  property
       groups  can  cause  smf(5)  components  to perform actions that may require operating system privilege. Accordingly, the framework requires
       appropriate authorization to manipulate property groups.

       Each property group has a type corresponding to its purpose. The core property group types are method, dependency, application, and  frame-
       work.  Additional  property group types can be introduced, provided they conform to the extended naming convention in smf(5). The following
       basic authorizations, however, apply only to the core property group types:

       solaris.smf.modify.method

           Authorized to change values or create, delete, or modify a property group of type method.

       solaris.smf.modify.dependency

           Authorized to change values or create, delete, or modify a property group of type dependency.

       solaris.smf.modify.application

           Authorized to change values or create, delete, or modify a property group of type application.

       solaris.smf.modify.framework

           Authorized to change values or create, delete, or modify a property group of type framework.

       solaris.smf.modify

           Authorized to add, delete, or modify services, service instances, or their properties.

       Property group-specific authorization can be specified by properties contained in the property group.

       modify_authorization    Authorizations allow the addition, deletion, or modification of properties within the property group.

       value_authorization     Authorizations allow changing the values of any property of the property group except modify_authorization.

       The above authorization properties are only used if they have type astring. If an instance property group does not have one of the  proper-
       ties, but the instance's service has a property group of the same name with the property, its values are used.

   Service Action Authorization
       Certain  actions  on service instances may result in service interruption or deactivation. These actions require an authorization to ensure
       that any denial of service is a deliberate administrative action. Such actions include a request for execution of the  refresh  or  restart
       methods,  or  placement  of  a  service instance in the maintenance or other non-operational state. The following authorization allows such
       actions to be requested:

       solaris.smf.manage      Authorized to request restart, refresh, or other state modification of any service instance.

       In addition, the general/action_authorization property can specify additional authorizations that permit service actions  to  be  requested
       for that service instance. The solaris.smf.manage authorization is required to modify this property.

   Defined Rights Profiles
       Two rights profiles are included that offer grouped authorizations for manipulating typical smf(5) operations.

       Service Management

           A  service  manager  can  manipulate  any  service  in  the  repository  in  any  way.  It  corresponds  to  the solaris.smf.manage and
           solaris.smf.modify authorizations.

           The service management profile is the minimum required to use the pkgadd(1M) or pkgrm(1M) commands to add or remove  software  packages
           that contain an inventory of services in its service manifest.

       Service Operator

           A  service  operator  has  the  ability to enable or disable any service instance on the system, as well as request that its restart or
           refresh method be executed. It corresponds to the solaris.smf.manage and solaris.smf.modify.framework authorizations.

           Sites can define additional rights profiles customized to their needs.

   Remote Repository Modification
       Remote repository servers may deny modification attempts due to additional privilege checks. See NOTES.

SEE ALSO

       auths(1), profiles(1), pkgadd(1M), pkgrm(1M), prof_attr(4), user_attr(4), rbac(5), smf(5)

NOTES

       The present version of smf(5) does not support remote repositories.

SunOS 5.10                                                           2 Dec 04                                                      smf_security(5)
All times are GMT -4. The time now is 05:11 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy