Contains the list of valid roles. This system file only applies to AIX 4.2.1 and later.
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
| Attribute | Description |
|---|---|
| rolelist | Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user. |
| authorizations | Contains the list of additional authorizations acquired by the user for this specific role. |
| groups | Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective. |
| screens | Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens). |
| msgcat | Contains the file name of the message catalog that contains the one-line descriptions of system roles. |
| msgnum | Contains the message ID that retrieves this role description from the message catalog. |
| For a typical stanza, see the "Examples" stanza. | |
You should access this file through the commands and subroutines defined for this purpose. You can use the following commands to change the roles file:
The mkrole command creates an entry for each new role in the /etc/security/roles file. To change the attribute values, use the chrole command. To display the attributes and their values, use the lsrole command. To remove a role, use the rmrole command.
To write programs that affect attributes in the /etc/security/roles file, use the subroutines listed in Related Information.
Access Control: This file grants read and write access to the root user, and read access to members of the security group.
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin groups = security screens = mkuser,rmuser,!tcpip
| /etc/security/roles | Contains the list of valid roles. |
| /etc/security/user.roles | Contains the list of roles for each user. |
| /etc/security/smitacl.group | Contains the group ACL definitions. |
| /etc/security/smitacl.user | Contains the user ACL definitions. |
The chrole command, lsrole command, mkrole command, rmrole command.
The getroleattr subroutine, nextrole subroutine, putroleattr subroutine, setroledb subroutine, endroledb subroutine.