Security Guide

Understanding Authorizations

Authorizations are authority attributes for a user. These authorizations allow a user to do certain tasks. For example, a user with the UserAdmin authorization can create an administrative user by running the mkuser command. A user without this authority cannot create an administrative user.

Authorization has two types:

Primary Authorization

Allows a user to run a specific command. For example, RoleAdmin authorization is a primary authorization allowing a user administrator to run the chrole command. Without this authorization, the command terminates without modifying the role definitions.

Authorization modifier

Increases the capability of a user. For example, UserAdmin authorization is an authorization modifier that increases the capability of a user administrator belonging to the security group. Without this authorization, the mkuser command only creates non-administrative users. With this authorization, the mkuser command also creates administrative users.

The authorizations perform the following functions:

Backup

Performs a system backup.

The following command uses the Backup authorization:

Backup

Backs up files and file systems. The user administrator must have Backup authorization.

Diagnostics

Allows a user to run diagnostics. This authority is also required to run diagnostic tasks directly from the command line.

The following command uses the Diagnostics authorization:

diag

Runs diagnostics on selected resources. If the user administrator does not have Diagnostics authority, the command ends.

GroupAdmin

Performs the functions of the root user on group data.

The following commands use the GroupAdmin authorization:

chgroup

Changes any group information. If the user does not have GroupAdmin authorization, they can only change non-administrative group information.

chgrpmem

Administers all groups. If the group administrator does not have GroupAdmin authorization, they can only change the membership of the group they administer or a user in group security to administer any non-administrative group.

chsec

Modifies administrative group data in the /etc/group and /etc/security/group files. The user can also modify the default stanza values. If the user does not have GroupAdmin authorization, they can only modify non-administrative group data in the /etc/group and /etc/security/group files.

mkgroup

Creates any group. If the user does not have GroupAdmin authorization, the user can only create non-administrative groups.

rmgroup

Removes any group. If the user does not have GroupAdmin authorization, the user can only remove non-administrative groups.

ListAuditClasses

Views the list of valid audit classes. The user administrator who uses this authorization does not have to be the root user or in the audit group.

Use the smit mkuser or smit chuser fast path to list audit classes available to make or change a user. Enter the list of audit classes in the AUDIT classes field.

PasswdAdmin

Performs the functions of the root user on password data.

The following commands use the PasswdAdmin authorization:

chsec

Modifies the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the chsec command allows the user administrator to only modify the lastupdate and flags attribute of non-administrative users.

lssec

Views the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the lssec command allows the user administrator to only view the lastupdate and flags attribute of non-administrative users.

pwdadm

Changes the password of all users. The user administrator must be in group security.

PasswdManage

Performs password administration functions on non-administrative users.

The following command uses the PasswdManage authorization:

pwdadm

Changes the password of a non-administrative user. The administrator must be in group security or have the PasswdManage authorization.

UserAdmin

Performs the functions of the root user on user data. Only users with UserAdmin authorization can modify the role information of a user. You cannot access or modify user auditing information with this authorization.

The following commands use the UserAdmin authorization:

chfn

Changes any user general information (gecos) field. If the user does not have UserAdmin authorization but is in group security, they can change any non-administrative user gecos field. Otherwise, users can only change their own gecos field.

chsec

Modifies administrative user data in the /etc/passwd, /etc/security/environ, /etc/security/lastlog, /etc/security/limits, and /etc/security/user files including the roles attribute. The user administrator can also modify the default stanza values and the /usr/lib/security/mkuser.default file, excluding the auditclasses attributes.

chuser

Changes any user's information except for the auditclasses attribute. If the user does not have UserAdmin authorization, they can only change non-administrative user information, except for the auditclasses and roles attributes.

mkuser

Creates any user, except for the auditclasses attribute. If the user does not have UserAdmin authorization, the user can only create non-administrative users, except for the auditclasses and roles attributes.

rmuser

Removes any user. If the user administrator does not have UserAdmin authorization, they can only create non-administrative users.

UserAudit

Allows the user to modify user-auditing information.

The following commands use the UserAudit authorization:

chsec

Modifies the auditclasses attribute of the mkuser.default file for non-administrative users. If the user has UserAdmin authorization, they can also modify the auditclasses attribute of the mkuser.default file for administrative and non-administrative users.

chuser

Modifies the auditclasses attribute of a non-administrative user. If the user administrator has UserAdmin authorization, they can also modify the auditclasses attribute of all users.

lsuser

Views the auditclasses attribute of a non-administrative user if the user is root user or in group security. If the user has UserAdmin authorization, they can also view the auditclasses attribute of all users.

mkuser

Creates a new user and allows user administrator to assign the auditclasses attribute of a non-administrative user. If the user has UserAdmin authorization, they can also modify the auditclasses attribute of all users.

RoleAdmin

Performs the functions of the root user on role data.

The following commands use the RoleAdmin authorization:

chrole

Modifies a role. If the user administrator does not have the RoleAdmin authorization, the command ends.

lsrole

Views a role.

mkrole

Creates a role. If the user administrator does not have the RoleAdmin authorization, the command ends.

rmrole

Removes a role. If the user administrator does not have the RoleAdmin authorization, the command ends.

Restore

Performs a system restoration.

The following command uses the Restore authorization:

Restore

Restores backed-up files. The user administrator must have Restore authorization.

Authorization Commands List

The following table lists the commands and the authorizations they use.