Authorizations are authority attributes for a user. These authorizations allow a user to do certain tasks. For example, a user with the UserAdmin authorization can create an administrative user by running the mkuser command. A user without this authority cannot create an administrative user.
There are two types of authorizations:
Primary Authorization | Allows a user to execute a specific command. For example, RoleAdmin authorization is a primary authorization allowing a user administrator to execute the chrole command. Without this authorization, the command terminates without modifying the role definitions. |
Authorization modifier | Increases the capability of a user. For example, UserAdmin authorization is an authorization modifier that increases the capability of a user administrator belonging to the group security. Without this authorization, the mkuser command only creates non-administrative users. With this authorization, the mkuser command also creates administrative users. |
The authorizations are the following:
Backup | Performs a system backup. | |
Backup | Backs up files and file systems. The user administrator must have Backup authorization. | |
GroupAdmin | Performs the functions of the root user on group data. | |
chgroup | Changes any group information. If the user does not have GroupAdmin authorization, they can only change non-administrative group information. | |
chgrpmem | Administers all groups. If the group administrator does not have GroupAdmin authorization, they can only change the membership of the group they administer or a user in group security to administer any non-administrative group. | |
chsec | Modifies administrative group data in the /etc/group and /etc/security/group files. The user can also modify the default: stanza values. If the user does not have GroupAdmin authorization, they can only modify non-administrative group data in the /etc/group and /etc/security/group files. | |
mkgroup | Creates any group. If the user does not have GroupAdmin authorization, the user can only create non-administrative groups. | |
rmgroup | Removes any group. If the user does not have GroupAdmin authorization, the user can only remove non-administrative groups. | |
ListAuditClasses | Views the list of valid audit classes. The user administrator who
uses this authorization does not have to be the root user or in
group audit.
Use the smit mkuser or smit chuser fast path to list audit classes available to make or change a user. Enter the list of audit classes in the AUDIT classes field. | |
PasswdAdmin | Performs the functions of the root user on password data. | |
chsec | Modifies the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the chsec command allows the user administrator to only modify the lastupdate and flags attribute of non-administrative users. | |
lssec | Views the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the lssec command allows the user administrator to only view the lastupdate and flags attribute of non-administrative users. | |
pwdadm | Changes the password of all users. The user administrator must be in group security. | |
PasswdManage | Performs password administration functions on non-administrative users. | |
pwdadm | Changes the password of a non-administrative user. The administrator must be in group security or have the PasswdManage authorization. | |
UserAdmin | Performs the functions of the root user on user data. Only users with UserAdmin authorization can modify the role information of a user. You cannot access or modify user auditing information with this authorization. | |
chfn | Changes any user's gecos (general information) field. If the user does not have UserAdmin authorization but is in group security, they can change any non-administrative user's gecos field. Otherwise, users can only change their own gecos field. | |
chsec | Modifies administrative user data in the /etc/passwd, /etc/security/environ, /etc/security/lastlog, /etc/security/limits, and /etc/security/user files including the roles attribute. The user administrator can also modify the default: stanza values and the /usr/lib/security/mkuser.default file, excluding the auditclasses attributes. | |
chuser | Changes any user's information except for the auditclasses attribute. If the user does not have UserAdmin authorization, they can only change non-administrative user information, except for the auditclasses and roles attributes. | |
mkuser | Creates any user, except for the auditclasses attribute. If the user does not have UserAdmin authorization, the user can only create non-administrative users, except for the auditclasses and roles attributes. | |
rmuser | Removes any user. If the user administrator does not have UserAdmin authorization, they can only create non-administrative users. | |
UserAudit | Allows the user to modify user-auditing information. | |
chsec | Modifies the auditclasses attribute of the mkuser.default file for non-administrative users. If the user has UserAdmin authorization, they can also modify the auditclasses attribute of the mkuser.default file for administrative and non-administrative users. | |
chuser | Modifies the auditclasses attribute of a non-administrative user. If the user administrator has UserAdmin authorization, they can also modify the auditclasses attribute of all users. | |
lsuser | Views the auditclasses attribute of a non-administrative user if the user is root user or in group security. If the user has UserAdmin authorization, they can also view the auditclasses attribute of all users. | |
mkuser | Creates a new user and allows user administrator to assign the auditclasses attribute of a non-administrative user. If the user has UserAdmin authorization, they can also modify the auditclasses attribute of all users. | |
RoleAdmin | Performs the functions of the root user on role data. | |
chrole | Modifies a role. If the user administrator does not have the RoleAdmin authorization, the command terminates. | |
lsrole | Views a role. | |
mkrole | Creates a role. If the user administrator does not have the RoleAdmin authorization, the command terminates. | |
rmrole | Removes a role. If the user administrator does not have the RoleAdmin authorization, the command terminates. | |
Restore | Performs a system restoration. | |
Restore | Restores backed-up files. The user administrator must have Restore authorization. |
See "Command to Authorization List" for a mapping of commands to authorizations.
The following information lists the commands and the authorizations they use.
Command | Permissions | Authorizations |
chfn | 2555 root.security | UserAdmin |
chuser | 4550 root.security | UserAdmin, UserAudit |
lsuser | 4555 root.security | UserAudit, UserAdmin |
mkuser | 4550 root.security | UserAdmin, UserAudit |
rmuser | 4550 root.security | UserAdmin |
chgroup | 4550 root.security | GroupAdmin |
lsgroup | 0555 root.security | |
mkgroup | 4550 root.security | GroupAdmin |
rmgroup | 4550 root.security | GroupAdmin |
chgrpmem | 2555 root.security | GroupAdmin |
pwdadm | 4555 root.security | PasswdManage, PasswdAdmin |
passwd | 4555 root.security | |
chsec | 4550 root.security | UserAdmin, GroupAdmin, PasswdAdmin, UserAudit |
lssec | 0550 root.security | PasswdAdmin |
chrole | 4550 root.security | RoleAdmin |
lsrole | 0550 root.security | |
mkrole | 4550 root.security | RoleAdmin |
rmrole | 4550 root.security | RoleAdmin |
backup | 4555 root.system | Backup |
restore | 4555 root.system | Restore |