Changes role attributes. This command applies only to AIX® 4.2.1 and later.
chrole [-R load_module] Attribute=Value ... Name
The chrole command changes attributes for the role identified by the Name parameter. The role name must already exist. To change an attribute, specify the attribute name and the new value with the Attribute=Value parameter.
If you specify a single incorrect attribute or attribute value with the chrole command, the command does not change any attribute.
You can use the Users application in Web-based System Manager (wsm) to change user characteristics. You could also use the System Management Interface Tool (SMIT) smit chrole fast path to run this command.
If the system is configured to use multiple domains for the role database, role modification is performed according to the order specified by the secorder attribute of the roles database stanza in the /etc/nscontrol.conf file. Only the first matching role is modified. Duplicate roles from the remaining domains are not modified. Use the -R flag to modify the role from a specific domain.
When the system is operating in enhanced Role Based Access Control (RBAC) mode, modifications made to the role database are not used for security considerations until the database is sent to the kernel security tables through the setkst command.
Item | Description |
---|---|
-R load_module | Specifies the loadable module to use for the role modification. |
If you have the proper authority, you can set the following user attributes:
Item | Description |
---|---|
auditclasses | Lists the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of ALL to indicate all audit classes. |
auth_mode | Specifies the authentication that is required
to assume the role when the swrole command is used. You can
specify the following values:
|
authorizations | List of additional authorizations required for this role beyond those defined by the roles in the rolelist attribute. The Value parameter is a list of authorization names, separated by commas. |
dfltmsg | Contains the default role-description text to use if message catalogs are not in use. |
groups | List of groups to which a user should belong, in order to effectively use this role. This attribute is for information only and does not automatically make the user a member of the list of groups. The Value parameter is a list of group names, separated by commas. |
id | Specifies the unique numeric ID for the role. You must specify
the id attribute. Attention: Do not modify the attribute value after the role is assigned to a user. |
msgcat | Contains the file name of the message catalog that holds the one-line descriptions of system roles. The Value parameter is a character string. |
msgnum | Contains the index into a message catalog for a description of the role. The Value parameter is an integer. |
msgset | Contains the message set that includes the role description in the message catalog. |
rolelist | Lists the roles implied by this role. The Value parameter is a list of role names, separated by commas. |
screens | Lists the SMIT screen identifiers allowing roles to be mapped to various SMIT screens. The Value parameter is a list of SMIT screen identifiers, separated by commas. |
visibility | Specifies the role's visibility status to the system. The
Value parameter is an integer. Possible values are:
|
Item | Description |
---|---|
aix.security.role.change | Required to run the command. |
Auditing Events
Event | Information |
---|---|
ROLE_Change | role, attribute |
Files Accessed
Mode | File |
---|---|
rw | /etc/security/roles |
r | /etc/security/user.roles |
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
chrole authorizations=aix.security.passwd ManagePasswds
chrole -R LDAP authorizations=aix.security.passwd ManagePasswds
Item | Description |
---|---|
/etc/security/roles | Contains the attributes of roles. |
/etc/security/user.roles | Contains the role attribute of users. |