dropdown menu

EXTRA - RBAC


RBAC:

http://www.ibm.com/developerworks/aix/library/au-aix_rbac/index.html

    * Authorizations  are assigned to commands
    * Roles are assigned to users.
    * Privileges are associated with specific processes.
    * Explicit privileges are assigned to commands required for execution and their execution is governed by authorization.

The system has a pre-defined authorization to certain commands and roles for system-defined users.


AIX V6 has three pre-defined roles assigned to three pre-defined users:

    * ISSO, the Information System Security Officer
    * SO, the System Operator
    * SA, the Security Administrator

The roles and authorizations of these users are defined in the following table:

User    Roles    Responsibility
----  --------------------
ISSO    ISSO   

    * Establishing and maintaining security policy
    * Setting passwords for user
    * Network configuration
    * Device configuration

SO    SO   

    * System shutdown reboot
    * File system backup, restore, and quotas
    * System error logging, trace, and statistics
    * Workload administration

SA    SA   

    * User administration excluding password
    * Filesystem administration
    * Software Installation and Update
    * Network Daemon management and device allocation

------------------------------------------------------


CREATING RBAC:

Step A: Creating and assigning (user defined) Authorization and Roles:
   
    mkauth test_auth                                <--creating authorization
    lsauth                                          <--verifying authorization
    setsecattr -c accessauths=test_auth shutdown    <--associates command with auth.

    mkrole authorizations=test_auth test_role       <--cretaing role
    chuser roles=test_role testuser                 <--associates role to a user
    setkst

Step B: Execution

    Login as  testuser
    swrole test                                     <--Switch to the role test_role
    (prompts for testuser password )
    rolelist -e                                     <--verify whether the testuser has the role
    Execute shutdown command

------------------------------------------------------

2 comments:

Anonymous said...

It's an amazing piece of writing in favor of all the online viewers; they will obtain advantage from it I am sure.

Look at my web site: Sidney Crosby Black Jersey

Anonymous said...

Really great Blog... Learned a lot of stuff. Great piece of work.