Commands Reference, Volume 1

chrole Command

Purpose

Changes role attributes. This command applies only to AIX 4.2.1 and later.

The chrole command changes attributes for the role identified by the Name parameter. The role name must already exist. To change an attribute, specify the attribute name and the new value with the Attribute=Value parameter.

If you specify a single incorrect attribute or attribute value with the chrole command, the command does not change any attribute.

You can use the Users application in Web-based System Manager (wsm) to change user characteristics. You could also use the System Management Interface Tool (SMIT) smit chrole fast path to run this command.

Restrictions on Modifying Roles

To ensure the integrity of the role information, only users with the RoleAdmin authorization can modify the attributes of a role.

Attributes

If you have the proper authority, you can set the following user attributes:

authorizations	List of additional authorizations required for this role beyond those defined by the roles in the rolelist attribute. The Value parameter is a list of authorization names, separated by commas.
groups	List of groups to which a user should belong, in order to effectively use this role. This attribute is for information only and does not automatically make the user a member of the list of groups. The Value parameter is a list of group names, separated by commas.
msgcat	Contains a message catalog number for referencing the msgnum attribute. The Value parameter is an integer.
msgnum	Contains the index into a message catalog for a description of the role. The Value parameter is an integer.
rolelist	Lists the roles implied by this role. The Value parameter is a list of role names, separated by commas.
screens	Lists the SMIT screen identifiers allowing roles to be mapped to various SMIT screens. The Value parameter is a list of SMIT screen identifiers, separated by commas.
visibility	Specifies the role's visibility status to the system. The Value parameter is an integer. Possible values are: 1 The role is enabled, displayed, and selectable. Authorizations contained in this role are applied to the user. If the attribute does not exist or has no value, the default value is 1. 0 The role is enabled and displayed as existing, but not selectable through a visual interface. Authorizations contained in this role are applied to the user. -1 The role is disabled. Authorizations contained in this role are not applied to the user.

Security

Files Accessed:

Mode	File
rw	/etc/security/roles
r	/etc/security/user.roles

Auditing Events:

Event	Information
ROLE_Change	role, attribute

Examples

To change the authorizations of the role ManageUserBasic to PasswdAdmin, enter:
```
chrole authorizations=PasswdAdmin ManageUserBasic
```

Files

/etc/security/roles	Contains the attributes of roles.
/etc/security/user.roles	Contains the role attribute of users.

Related Information

The lsrole command, mkrole command, rmrole command, chuser command, lsuser command, mkuser command.

For information on installing the Web-based System Manager, see Chapter 2: Installation and System Requirements in AIX 5L Version 5.1 Web-based System Manager Administration Guide.

Security Administration in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.

Administrative Roles Overview in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.