smitacl.user File

Purpose

Contains the user access control list (ACL) definitions for the System Management Interface Tool (SMIT).

Description

The /etc/security/smitacl.user file contains the ACL definitions for SMIT. This is an ASCII file that contains a stanza for each system user. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.

The file supports a default stanza. If an attribute is not defined, either the default stanza or the default value for the attribute is used.

A stanza contains the following attributes:

Attribute Description

Attribute	Description
screens	Describes the list of SMIT screens for the user. (It is of the type SEC_LIST.) Examples include: `screens = * # Permit all screen access. screens = !* # Deny all screen access. screens = # Allows no specific screens # (screens can be added on a per user basis) screens = user,group,!tcpip # Allow user & group # screens, but not # tcpip screen`
funcmode	Describes if the role database and/or SMIT ACL database should be used to determine accessibility. It also describes how to combine the screens data from the two databases. (It is of the type SEC_CHAR.) Examples include: `funcmode = roles+acl # Use both roles and SMIT ACL # databases. funcmode = roles # Use only the roles database. funcmode = acl # Use only the SMIT ACL # database.` The defined values for funcmode are: roles Only the screen values from the roles database are used. acl Only the screen values from the SMIT ACL database are used. roles+acl The screen values from both the roles and the SMIT ACL databases are used.

screens

Describes the list of SMIT screens for the user. (It is of the type SEC_LIST.) Examples include:

screens = *                    # Permit all screen access.
screens = !*                   # Deny all screen access.
screens =                      # Allows no specific screens
                               # (screens can be added on a per user basis)
screens = user,group,!tcpip    # Allow user & group
                               # screens, but not
                               # tcpip screen

funcmode

Describes if the role database and/or SMIT ACL database should be used to determine accessibility. It also describes how to combine the screens data from the two databases. (It is of the type SEC_CHAR.) Examples include:

funcmode = roles+acl   # Use both roles and SMIT ACL # databases.
funcmode = roles       # Use only the roles database.
funcmode = acl         # Use only the SMIT ACL # database.

The defined values for funcmode are:

roles: Only the screen values from the roles database are used.
acl: Only the screen values from the SMIT ACL database are used.
roles+acl: The screen values from both the roles and the SMIT ACL databases are used.

For a typical stanza, see the "Examples" section . This file may viewed with the lssec command and modified with the chsec command.

The screen names specified in the screens attribute are SMIT fastpath values. Many SMIT fastpath values can be found in the commands documentation. The smit command may also be used to determine the fastpath of the current screen. Please see the smit command for more information.

Security

Access Control: This file grants read and write access to the root user, and read access to members of the security group.

Examples

To allow pwduser to access the groups which are accessible via the users and passwd SMIT fastpaths, type the following:
```
pwduser:
       funcmode = roles+acl
       screens = users,passwd
```
To allow the mksysb screen only for user bkupuser, add the following stanza:
```
bkupuser:
    screens = mksysb
```

Files

Item	Description
/etc/security/roles	Contains the list of valid roles.
/etc/security/user.roles	Contains the list of roles for each user.
/etc/security/smitacl.group	Contains the group ACL definitions.
/etc/security/smitacl.user	Contains the user ACL definitions.