mkauth Command

Purpose

Creates a new user-defined authorization.

Syntax

mkauth [-R load_module] [Attribute = Value ...] Name

Description

The mkauth command creates a new user-defined authorization in the authorization database. You can create authorization hierarchies by using a dot (.) in the Name parameter to create an authorization of the form ParentAuth.SubParentAuth.SubSubParentAuth.... All parent elements in the Name parameter must already exist in the authorization database before the new authorization is created. The maximum number of parent elements that you can use to create an authorization is 8.

If the system is configured to use multiple domains for the authorization database, the new authorization is created in the first domain specified by the secorder attribute in the authorizations stanza of the /etc/nscontrol.conf file. Use the -R flag to create an authorization in a specific domain.

Authorization attributes can be set at creation time through the Attribute = Value parameter. Every authorization that you create must have a value for the id authorization attribute. If you do not specify the value using the mkauth command, the command automatically generates a unique ID for the authorization. If you specify an ID, the value must be unique and greater than 10000.

Restriction: Authorization IDs less than 10000 are reserved for system-defined authorizations

When the system is operating in enhanced Role Based Access Control (RBAC) mode, modifications made to the authorization database are not used for security considerations until the database is sent to the kernel security tables using the setkst command. Authorizations created in the authorization database can be assigned to roles immediately, but do not take effect until the kernel security tables is updated.

Flags

Item	Description
-R load_module	Specifies the loadable module to use for authorization creation.

Parameters

Item	Description
Attribute = Value	Initializes an authorization attribute. Refer to the chauth command for valid attributes and values.
Name	Specifies a unique authorization name string. Restrictions on Creating Authorization Names: The Name parameter that you specify must be unique, and can be a maximum of 64 single-byte printable characters. Although the mkauth command supports multibyte authorization names, authorization names to characters are restricted within the POSIX portable file name character set. The authorization name that you specify cannot begin with `aix.` because that is the designated top-level parent for system-defined authorizations and the mkauth command only creates user-defined authorizations. Authorization names must not begin with a dash (-), a plus sign (+), an at sign (@), a tilde (~), or contain any space, tab or newline characters. You cannot use the keywords ALL, default, ALLOW_OWNER, ALLOW_GROUP, ALLOW_ALL, or an asterisk (*) as an authorization name. Additionally, do not use any of the following characters within an authorization string: : (colon) " (quotation mark) # (number sign) , (comma) = (equal sign) \ (backslash) / (forward slash) ? (question mark) ' (single quotation mark) ˋ (grave accent)

Item

Description

Attribute = Value

Initializes an authorization attribute. Refer to the chauth command for valid attributes and values.

Name

Specifies a unique authorization name string.

Restrictions on Creating Authorization Names:

The Name parameter that you specify must be unique, and can be a maximum of 64 single-byte printable characters. Although the mkauth command supports multibyte authorization names, authorization names to characters are restricted within the POSIX portable file name character set. The authorization name that you specify cannot begin with aix. because that is the designated top-level parent for system-defined authorizations and the mkauth command only creates user-defined authorizations.

Authorization names must not begin with a dash (-), a plus sign (+), an at sign (@), a tilde (~), or contain any space, tab or newline characters. You cannot use the keywords ALL, default, ALLOW_OWNER, ALLOW_GROUP, ALLOW_ALL, or an asterisk (*) as an authorization name. Additionally, do not use any of the following characters within an authorization string:

: (colon)
" (quotation mark)
# (number sign)
, (comma)
= (equal sign)
\ (backslash)
/ (forward slash)
? (question mark)
' (single quotation mark)
ˋ (grave accent)

Security

The mkauth command is a privileged command. You must assume a role that has the following authorization to run the command successfully.

Item	Description
aix.security.auth.create	Required to run the command.

Files Accessed

Item	Description
File	Mode
/etc/security/authorizations	rw

Examples

To create a top-level authorization custom and have the mkauth command assign an appropriate ID value, use the following command:
```
mkauth custom
```
To create a custom.test child authorization and assign an ID and default description, use the following command:
```
mkauth id=12000 dfltmsg="Test Authorization" custom.test
```
To create the custom authorization in LDAP, use the following command:
```
mkauth -R LDAP custom 
```