Creates a new user-defined authorization.
The mkauth command creates a new user-defined authorization in the authorization database. You can create authorization hierarchies by using a dot (.) in the Name parameter to create an authorization of the form ParentAuth.SubParentAuth.SubSubParentAuth.... All parent elements in the Name parameter must already exist in the authorization database before the new authorization is created. The maximum number of parent elements that you can use to create an authorization is 8.
If the system is configured to use multiple domains for the authorization database, the new authorization is created in the first domain specified by the secorder attribute in the authorizations stanza of the /etc/nscontrol.conf file. Use the -R flag to create an authorization in a specific domain.
When the system is operating in enhanced Role Based Access Control (RBAC) mode, modifications made to the authorization database are not used for security considerations until the database is sent to the kernel security tables using the setkst command. Authorizations created in the authorization database can be assigned to roles immediately, but do not take effect until the kernel security tables is updated.
Item | Description |
---|---|
-R load_module | Specifies the loadable module to use for authorization creation. |
Item | Description |
---|---|
Attribute = Value | Initializes an authorization attribute. Refer to the chauth command for valid attributes and values. |
Name | Specifies a unique authorization name string. Restrictions on Creating Authorization Names: The Name parameter that you specify must be unique, and can be a maximum of 64 single-byte printable characters. Although the mkauth command supports multibyte authorization names, authorization names to characters are restricted within the POSIX portable file name character set. The authorization name that you specify cannot begin with aix. because that is the designated top-level parent for system-defined authorizations and the mkauth command only creates user-defined authorizations. Authorization
names must not begin with a dash (-), a plus sign (+), an at sign
(@), a tilde (~), or contain any space, tab or newline characters.
You cannot use the keywords ALL, default, ALLOW_OWNER, ALLOW_GROUP, ALLOW_ALL,
or an asterisk (*) as an authorization name. Additionally, do not
use any of the following characters within an authorization string:
|
Item | Description |
---|---|
aix.security.auth.create | Required to run the command. |
Item | Description |
---|---|
File | Mode |
/etc/security/authorizations | rw |
mkauth custom
mkauth id=12000 dfltmsg="Test Authorization" custom.test
mkauth -R LDAP custom