[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Files Reference

roles File


Contains the list of valid roles. This system file only applies to AIX 4.2.1 and later.


The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.

The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.

A stanza contains the following attributes:

Attribute Description
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
For a typical stanza, see the "Examples" stanza.

Changing the roles File

You should access this file through the commands and subroutines defined for this purpose. You can use the following commands to change the roles file:

The mkrole command creates an entry for each new role in the /etc/security/roles file. To change the attribute values, use the chrole command. To display the attributes and their values, use the lsrole command. To remove a role, use the rmrole command.

To write programs that affect attributes in the /etc/security/roles file, use the subroutines listed in Related Information.


Access Control: This file grants read and write access to the root user, and read access to members of the security group.


A typical stanza looks like the following example for the ManageAllUsers role:


   rolelist = ManageBasicUsers
   authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
   groups = security
   screens = mkuser,rmuser,!tcpip


/etc/security/roles Contains the list of valid roles.
/etc/security/user.roles Contains the list of roles for each user.
/etc/security/smitacl.group Contains the group ACL definitions.
/etc/security/smitacl.user Contains the user ACL definitions.

Related Information

The chrole command, lsrole command, mkrole command, rmrole command.

The getroleattr subroutine, nextrole subroutine, putroleattr subroutine, setroledb subroutine, endroledb subroutine.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]