rolelist Command

Purpose

Displays role information for a user or process.

Syntax

rolelist [-a] [-e | -u username | -p PID]

Description

The rolelist command provides role and authorization information to the invoker about their current roles or the roles assigned to them. If no flags or arguments are specified, the rolelist command displays the list of roles assigned to the invoker on the real user ID with the text description of each role if one is provided in the roles database. Specifying the -e flag outputs information about the current effective active role set for the session. If the invoker is not currently in a role session and specifies the -e flag, no output is displayed. Specifying the -a flag displays the authorizations associated with the roles instead of the text description.

The rolelist command also allows a privileged user to list the role information for another user or for a process. Specifying a user name with the -u flag allows a privileged user to list the roles assigned to another user. The active role set of a given user cannot be determined because the user can have multiple active role sessions. Therefore, if the -u flag is specified, the -e flag is not allowed. Specifying a process ID with the -p flag allows a privileged user to display the roles associated with a process. The command fails immediately if invoked by a non-privileged user when the -u or -p flag is specified.

The authorization information displayed by the rolelist command is retrieved from the kernel security tables. The information can differ with the current state of the roles database if it is modified after the kernel security tables are updated.

Flags

Item Description
-a Displays the authorizations assigned to each role instead of the role description.
-e Displays information about the effective active role set of the session.
-u username Displays role information for the specified user.
-p PID Displays role information of the specified process.

Security

All users can run the rolelist command. To query the role information of another user or a process, the following authorizations are required.
Item Description
aix.security.role.list Required to invoke the command on another user.
aix.security.proc.role.list Required to list the roles associated with a process.

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed

Files Mode
/etc/security/user.roles r
/etc/security/roles r

Examples

  1. To display the list of roles that assigned to you and their text descriptions, use the following command:
    rolelist
    Information similar to the following example is displayed:
    UserAdmin        User Administrator
    RoleAdmin        Role Administrator
    FSAdmin          File System Administrator
  2. To display the authorizations associated with the assigned roles, use the following command:
    rolelist -a
    Information similar to the following example is displayed:
    UserAdmin        aix.security.user
    RoleAdmin        aix.security.role
    FSAdmin          aix.security.fs
  3. As a privileged user, use the following command to display the roles assigned to a specific user :
    rolelist -u user1
    Information similar to the following example is displayed:
    SysInfo          System Information Retrieval