[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Security Guide
Understanding Authorizations
Authorizations are authority attributes for a user. These authorizations
allow a user to do certain tasks. For example, a user with the UserAdmin
authorization can create an administrative user by running the mkuser command. A user without this authority cannot
create an administrative user.
Authorization has two types:
- Primary Authorization
- Allows a user to run a specific command. For example, RoleAdmin authorization
is a primary authorization allowing a user administrator to run the chrole command. Without this authorization, the command
terminates without modifying the role definitions.
- Authorization modifier
- Increases the capability of a user. For example, UserAdmin authorization
is an authorization modifier that increases the capability of a user administrator
belonging to the security group. Without this authorization,
the mkuser command only creates non-administrative
users. With this authorization, the mkuser command
also creates administrative users.
The authorizations perform the following functions:
- Backup
- Performs a system backup.
The following command uses the Backup authorization:
- Backup
- Backs up files and file systems. The user administrator must have Backup
authorization.
- Diagnostics
- Allows a user to run diagnostics. This authority is also required to
run diagnostic tasks directly from the command line.
The following command
uses the Diagnostics authorization:
- diag
- Runs diagnostics on selected resources. If the user administrator does
not have Diagnostics authority, the command ends.
- GroupAdmin
- Performs the functions of the root user on group data.
The following
commands use the GroupAdmin authorization:
- chgroup
- Changes any group information. If the user does not have GroupAdmin
authorization, they can only change non-administrative group information.
- chgrpmem
- Administers all groups. If the group administrator does not have GroupAdmin
authorization, they can only change the membership of the group they administer
or a user in group security to administer any non-administrative group.
- chsec
- Modifies administrative group data in the /etc/group and /etc/security/group files. The user can also
modify the default stanza values. If the user does
not have GroupAdmin authorization, they can only modify non-administrative
group data in the /etc/group and /etc/security/group files.
- mkgroup
- Creates any group. If the user does not have GroupAdmin authorization,
the user can only create non-administrative groups.
- rmgroup
- Removes any group. If the user does not have GroupAdmin authorization,
the user can only remove non-administrative groups.
- ListAuditClasses
- Views the list of valid audit classes. The user administrator who uses
this authorization does not have to be the root user or in the audit group.
Use the smit mkuser or
smit chuser fast path to list audit classes
available to make or change a user. Enter the list of audit classes in the
AUDIT classes field.
- PasswdAdmin
- Performs the functions of the root user on password data.
The following commands use the PasswdAdmin authorization:
- chsec
- Modifies the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization,
the chsec command allows the user administrator to
only modify the lastupdate and flags attribute of non-administrative users.
- lssec
- Views the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the lssec command allows the user administrator to only view
the lastupdate and flags attribute
of non-administrative users.
- pwdadm
- Changes the password of all users. The user administrator must be in
group security.
- PasswdManage
- Performs password administration functions on non-administrative
users.
The following command uses the PasswdManage authorization:
- pwdadm
- Changes the password of a non-administrative user. The administrator
must be in group security or have the PasswdManage authorization.
- UserAdmin
- Performs the functions of the root
user on user data. Only users with UserAdmin authorization can modify the
role information of a user. You cannot access or modify user auditing information
with this authorization.
The following commands use
the UserAdmin authorization:
- chfn
- Changes any user general information (gecos) field. If the user does
not have UserAdmin authorization but is in group security, they can change
any non-administrative user gecos field. Otherwise, users can only change
their own gecos field.
- chsec
- Modifies administrative user data in the /etc/passwd, /etc/security/environ, /etc/security/lastlog, /etc/security/limits, and /etc/security/user files including the roles attribute. The user administrator
can also modify the default stanza values and the /usr/lib/security/mkuser.default file, excluding the auditclasses attributes.
- chuser
- Changes any user's information except for the auditclasses attribute.
If the user does not have UserAdmin authorization, they can only change non-administrative
user information, except for the auditclasses and roles attributes.
- mkuser
- Creates any user, except for the auditclasses attribute. If the user
does not have UserAdmin authorization, the user can only create non-administrative
users, except for the auditclasses and roles attributes.
- rmuser
- Removes any user. If the user administrator does not have UserAdmin
authorization, they can only create non-administrative users.
- UserAudit
- Allows the user to modify user-auditing information.
The following
commands use the UserAudit authorization:
- chsec
- Modifies the auditclasses attribute of the mkuser.default file for non-administrative users. If the user has UserAdmin authorization,
they can also modify the auditclasses attribute of the mkuser.default file for administrative and non-administrative users.
- chuser
- Modifies the auditclasses attribute of a non-administrative user. If
the user administrator has UserAdmin authorization, they can also modify
the auditclasses attribute of all users.
- lsuser
- Views the auditclasses attribute of a non-administrative user if the
user is root user or in group security. If the user has UserAdmin authorization,
they can also view the auditclasses attribute of all users.
- mkuser
- Creates a new user and allows user administrator to assign the auditclasses
attribute of a non-administrative user. If the user has UserAdmin authorization,
they can also modify the auditclasses attribute of all users.
- RoleAdmin
- Performs the functions of the root user on role data.
The following
commands use the RoleAdmin authorization:
- chrole
- Modifies a role. If the user administrator does not have the RoleAdmin
authorization, the command ends.
- lsrole
- Views a role.
- mkrole
- Creates a role. If the user administrator does not have the RoleAdmin
authorization, the command ends.
- rmrole
- Removes a role. If the user administrator does not have the RoleAdmin
authorization, the command ends.
- Restore
- Performs a system restoration.
The following command uses the Restore
authorization:
- Restore
- Restores backed-up files. The user administrator must have Restore
authorization.
Authorization Commands List
The following table lists the commands and the authorizations they use.
Command |
Permissions |
Authorizations |
chfn |
2555 root.security |
UserAdmin |
chuser |
4550 root.security |
UserAdmin, UserAudit |
diag |
0550 root.system |
Diagnostics |
lsuser |
4555 root.security |
UserAudit, UserAdmin |
mkuser |
4550 root.security |
UserAdmin, UserAudit |
rmuser |
4550 root.security |
UserAdmin |
chgroup |
4550 root.security |
GroupAdmin |
lsgroup |
0555 root.security |
|
mkgroup |
4550 root.security |
GroupAdmin |
rmgroup |
4550 root.security |
GroupAdmin |
chgrpmem |
2555 root.security |
GroupAdmin |
pwdadm |
4555 root.security |
PasswdManage, PasswdAdmin |
passwd |
4555 root.security |
|
chsec |
4550 root.security |
UserAdmin, GroupAdmin, PasswdAdmin, UserAudit |
lssec |
0550 root.security |
PasswdAdmin |
chrole |
4550 root.security |
RoleAdmin |
lsrole |
0550 root.security |
|
mkrole |
4550 root.security |
RoleAdmin |
rmrole |
4550 root.security |
RoleAdmin |
backup |
4555 root.system |
Backup |
restore |
4555 root.system |
Restore |
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]