lsauth Command

Purpose

Displays user and system-defined authorization attributes.

Syntax

lsauth [-R load_module] [-C] [-f ] [-a List] {ALL | Name [,Name ] …}

Description

The lsauth command displays attributes of user-defined and system-defined authorizations from the authorization database. The command can be used to list attributes of all authorizations or specific authorizations. By default, the lsauth command displays all authorization attributes. To view selected attributes, use the -a List flag. If one or more attributes cannot be read, the lsauth command lists the information that is available.

By default, the lsauth command lists the attributes of each authorization on one line. It displays attribute information in the form of Attribute = Value, each separated by a blank space. To list the authorization attributes in stanza format, use the -f flag. To list the information as colon-separated records, use the -C flag.

If the system is configured to use multiple domains for the authorization database, the authorizations, as specified by the Name parameter, are searched from the domains in the order specified by the secorder attribute of the authorizations stanza in the /etc/nscontrol.conf file. If duplicate entries exist in multiple domains, only the first entry instance is listed. Use the -R flag to list the authorizations from a specific domain.

Flags

Item	Description
-a List	Lists the attributes to display. The List parameter requires a blank space between attributes to list multiple attributes. If you specify an empty list, only the authorization names are displayed. The List parameter can include any attribute defined in the chauth command, in addition to the following two attributes: description The text description of the authorization as indicated by the dfltmsg, msgcat, msgset and msgnum attributes for the authorization. roles A comma-separated list of roles containing the specified authorization in their authorization set.
-C	Displays the authorization attributes in colon-separated records, as follows: `#authorization:attribute1:attribute2: ... authorization:value1:value2: ... authorization2:value1:value2: ...` The output is preceded by a comment line that has details about the attribute represented in each colon-separated field. If you specify the -a flag, the order of the attributes matches the order specified in the -a flag. If an authorization does not have a value for a given attribute, the field is still displayed but is empty. The last field in each entry is ended by a newline character rather than a colon.
-f	Displays the output in stanzas, with each stanza identified by an authorization name. Each Attribute = Value pair is listed on a separate line: `Authorization: attribute1=value attribute2=value attribute3=value`
-R load_module	Specifies the loadable module to list authorizations from.

Parameters

Item	Description
ALL	Specifies to list attributes from all authorizations.
Name	Specifies the authorization name to list. Optionally, a wild card (.*) can be used at the end of a name to list an entire hierarchy. The entire string specified before the wild card must be a valid authorization name.

Security

The lsauth command is a privileged command. You must assume a role that has the following authorization to run the command successfully.

Item	Description
aix.security.auth.list	Required to run the command.

Files Accessed

Item	Description
File	Mode
/etc/security/authorizations	r

Examples

To display all attributes of the custom authorization, use the following command:
```
lsauth custom
```
All the attribute information appears, with each attribute separated by a blank space.
To display all attributes of the custom authorization from LDAP, use the following command:
```
lsauth -R LDAP custom
```
All the attribute information appears, with each attribute separated by a blank space.
To display the authorization ID and description for the custom authorization in stanza format, use the following command:
```
lsauth -f -a id description custom
```
Information similar to the following appears:
```
custom:
    id=11000
    description="Custom Authorization"
```
To display the msgcat, msgset and msgnum attributes for the custom.test authorization in a colon format, use the following command:
```
lsauth -C -a msgcat msgset msgnum custom.test
```
Information similar to the following example appears:
```
#name:ID:msgcat:msgset:msgnum
custom.test:12000:custom_auths.cat:5:24
```
To display the description for the entire authorization hierarchy that begins with aix.security, use the following command:
```
lsauth -a description aix.security.*
```
The aix.security authorization and all its children are listed with one authorization per line and a space between the authorization name and the description attribute.