roles File

Purpose

Contains the list of valid roles.

Description

The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.

The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used, except in the case of the id attribute. The id attribute must be specified and unique for each role in the file.

A stanza contains the following attributes:

Attribute Description
rolelist Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user.
authorizations Contains the list of additional authorizations acquired by the user for this specific role.
groups Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective.
screens Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens).
msgcat Contains the file name of the message catalog that contains the one-line descriptions of system roles.
msgnum Contains the message ID that retrieves this role description from the message catalog.
id Specifies the unique numeric ID for the role. This is a required attribute when the system is in enhanced RBAC mode. This is used internally for security decisions. Do not modify the role ID after creating the role.
dfltmsg Contains the default role-description text if message catalogs are not in use.
msgset Contains the message set that contains the role description in the message catalog.
auth_mode Specifies the authentication mode when you assume the role using the swrole command when the system is in enhanced RBAC mode. The following values are valid:
  • NONE - No authentication is necessary.
  • INVOKER - You must enter your own password when invoking the swrole command. This is the default.
For a typical stanza, see the "Examples" stanza.

Changing the roles File

Do not directly edit the /etc/security/roles file. Use the following commands to manipulate the role database:

The mkrole command creates an entry for each new role in the /etc/security/roles file. To change the attribute values, use the chrole command. To display the attributes and their values, use the lsrole command. To remove a role, use the rmrole command.

When the system is operating in enhanced RBAC Mode, changes made to the roles file do not impact security considerations until the entire roles database is sent to the Kernel Security Tables through the setkst command or until the system is rebooted.

To write programs that affect attributes in the /etc/security/roles file, use the subroutines listed in Related Information.

Security

The root user and the security group own this file. Read and write access is granted to the root user, and read access to members of the security group. Access for other users and groups depends on the security policy for the system.

Examples

A typical stanza looks like the following example for the ManageAllUsers role:

ManageAllUsers:
   id = 110
   dfltmsg = "Manage all users"
   rolelist = ManageBasicUsers
   authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
   groups = security
   screens = mkuser,rmuser,!tcpip

Files

Item Description
/etc/security/roles Contains the list of valid roles.
/etc/security/user.roles Contains the list of roles for each user.
/etc/security/smitacl.group Contains the group ACL definitions.
/etc/security/smitacl.user Contains the user ACL definitions.