rmauth Command

Purpose

Removes one or more user-defined authorizations.

Syntax

rmauth [-R load_module] [-h ] Name

Description

The rmauth command removes the user-defined authorization identified by the Name parameter. The command only removes existing user-defined authorizations in the authorization database. You cannot remove system-defined authorizations with this command. If an authorization is being referenced in the privileged command database, it cannot be removed until the authorization is no longer referenced by the database.

By default, the rmauth command only attempts to remove the specified authorization from the authorization database. You must remove authorizations from the lowest level of a hierarchy before the higher level can be removed. If you specify a higher level authorization and lower-level authorizations still exist, the command fails. To remove a hierarchy of authorizations, specify the -h flag. With the -h flag, any lower-level authorization beneath the specified authorization is also removed. If any of the lower level authorizations is being referenced in the privileged command database, no authorizations are removed and the entire operation fails.

If the system is configured to use databases from multiple domains, the rmauth command finds the first match from the database domains in the order that was specified by the secorder attribute of the authorizations stanza in the /etc/nscontrol.conf file. Meanwhile, the rmauth command removes that authorization entry from the domain. If any matching authorizations from the rest of the domains exist, they are not affected. Use the -R flag to remove an authorization from a specific domain.

When the system is operating in enhanced role based access control (RBAC) mode, modifications made to the authorization database are not used for security considerations until the database is sent to the kernel security tables using the setkst command.

Flags

Item Description
-h Allows removal of a hierarchy of authorizations.
-R load_module Specifies the loadable module to use for the authorization deletion.

Parameters

Item Description
Name Specifies the authorization to remove.

Security

The rmauth command is a privileged command. You must have the aix.security.role.remove authorization to run the command:
Item Description
aix.security.auth.remove Required to run the command.

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed

File Mode
/etc/security/authorizations rw

Examples

  1. To remove the custom.test authorization, use the following command:
    rmauth custom.test
  2. To remove the custom authorization and all of its children authorizations, use the following command:
    rmauth -h custom
  3. To remove the custom.test authorization from LDAP, use the following command:
    rmauth -h custom.test