authadm(1M)authadm(1M)NAMEauthadm - non-interactive command for administrating the authorization
information in the RBAC databases
SYNOPSIS
[object [comments]]
[object]
operation [object]
subrole
DESCRIPTION
is a non-interactive command that allows users with the appropriate
privileges to modify and list authorization information in the and RBAC
databases files.
HP recommends using only the and commands to edit and view the RBAC
databases -- do not edit the RBAC files without these commands.
See rbac(5) for more information on these RBAC databases.
Options
With the exception of the option, all options recognize a default
object. If the parameter is specified with a non-empty value in the
security default file, then the value of this parameter will be the
default object. However, if the parameter does not exist or is set to
an empty value, then the default object will be set to a wild card (*).
Here is how to specify a value to the parameter in
For example: In sets the default object to If line is not present or is
commented out, then the default object will be set to "*".
recognizes the following options:
Adds an authorization pair
(operation, object) to the system list of valid authorizations
by appending a line to the file.
If object is not specified, then a default object will be
assigned. The default object will either be a wild card (*) or
the object specified in the security default configuration file,
A comment may not be specified when adding an entry that refers
to the default object in The only way to add a comment to an
entry with the option is to specify the object explicitly.
Deletes an authorization from the system list of valid authorizations.
If object is not specified, then a default object will be
assumed. The default object will either be a wild card (*) or
the object specified in the security default configuration file,
If the authorization exists in deletes the entry. If the speci‐
fied authorization is assigned to any roles in will remove the
authorization from the role. If the specified authorization
exists in an entry in will remove the entire entry. If the
authorization does not exist in returns an error message. See
the section below for more information.
Assigns an authorization pair
to a role. verifies the role exists in before verifying the
authorization pair exists in appends the authorization to the
role to authorization mapping in if the role and authorization
pair exists.
If object is not specified, then a default object will be
assigned. The default object will either be a wild card (*) or
the object specified in the security default configuration file,
Assigns a role to another different role.
The role being assigned to the other different role is referred
to as a A subrole is any valid role defined in the database.
The option allows hierarchical role definition (one role can
inherit other subrole). After assigning a subrole to another
role, that role will also have all the authorizations of the
subrole, and any of its subroles. More than one subrole can be
assigned to other different role. verifies the role and subrole
exist in It also verifies that there is no recursive definitions
of the role and subrole. (If "role1" has a subrole of "role2",
and if you try to "role1" to "role2", this will cause a recur‐
sive definition of both "role1" and "role2"). appends the sub‐
role to the role to authorization mapping in
Revokes an authorization from the specified role in If no autho‐
rization is specified, revokes all the authorizations for the
given role. If object is not specified, then a default object
will be assumed. The default object will either be a wild card
(*) or the object specified in the security default configura‐
tion file,
The file will be modified by the command.
Revokes a subrole from the specified role in Note that the role
specified as the subrole is not revoked from the database, just
the subrole assignment is revoked.
For instance, if these entries are in the database:
will modify the line to:
revokes specified the authorizations and/or subrole for the
given role.
Note: The file will be modified by the command.
Invoking the list command without any parameters lists every
entry in Specifying a role name lists all the authorizations and
subroles assigned to that role name. Specifying an operation
name lists all the roles witch have that operation name. Speci‐
fying a subrole name lists all the roles which have that subrole
name. Specifying lists all the authorizations in the database.
Authorizations
In order to invoke the user must either be root, (running with effec‐
tive uid of 0), or have the appropriate authorization(s). The follow‐
ing is a list of the required authorizations for running with particu‐
lar options:
Allows user to run
with option.
Allows user to run
option.
Allows user to run
with or option.
Allows user to run
with or option.
Allows user to run
with option.
EXTERNAL INFLUENCES
Environment Variables
determines the language in which messages are displayed.
International Code Set Support
Single-byte character code set is supported.
RETURN VALUE
Success.
If is successful, it returns
Failure.
returns and prints an appropriate error message to stderr.
EXAMPLES
The following commands each add an authorization (operation, object)
entry in the database file:
The following commands each delete an authorization (operation, object)
entry from the database file:
The following commands each assign an authorization (operation, object)
pair to a role in database file:
The following commands each assign a subrole to a role in database
file:
The following commands each revokes an operation for the specified
operation from a role in the file:
The following commands each revokes a subrole from the specified role
in the database file:
The following command lists all the authorizations for the role:
The following command lists all the entries with operation
The following command lists all the entries with object
The following command lists all the roles with their authorizations in
database:
FILES
Database containing valid definitions of all roles.
Database containing definitions of all valid authorizations.
Database specifying the roles allowed for each specified user.
Database defining the authorizations for each specified role.
SEE ALSOcmdprivadm(1M), privrun(1M), rbacdbchk(1M), roleadm(1M), rbac(5).
authadm(1M)