Displays role attributes. This command applies only to AIX® 4.2.1 and later.
The lsrole command displays the role attributes. You can use this command to list all attributes of all the roles or all the attributes of specific roles. Since there is no default parameter, you must enter the ALL keyword to see the attributes of all the roles. By default, the lsrole command displays all role attributes. To view selected attributes, use the -a List flag. If one or more attributes cannot be read, the lsrole command lists as much information as possible.
By default, the lsrole command lists each role's attributes on one line. It displays attribute information as Attribute=Value definitions, each separated by a blank space. To list the role attributes in stanza format, use the -f flag. To list the information as colon-separated records, use the -c flag.
You can use the Users application in Web-based System Manager (wsm) to change user characteristics. You could also use the System Management Interface Tool (SMIT) to run this command.
If the system is configured to use multiple domains for the role database, the roles, as specified by the Name parameter, are searched from the domains in the order specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. If duplicate entries exist in multiple domains, only the first entry instance is listed. Use the -R flag to list the roles from a specific domain.
The lsrole command only lists the role definitions available in the roles database. If the system is operating in enhanced Role Based Access Control (RBAC) mode, the information in the roles database might differ from what is used for security considerations on the system in the kernel security tables (KST). To view the state of the roles database in the KST, use the lskst command.
Item | Description |
---|---|
-a List | Lists the attributes to display. The List variable can
include any attribute that is defined in the chrole command.
Specify more than one attributes with a blank space between attribute
names. If an empty list is specified, only the role names are displayed.
In addition to the attributes defined in the chrole command,
the following attributes can also be listed with the -a flag:
|
-c | Displays the role attributes in colon-separated records,
as follows:
|
-C | Displays the role attributes in colon-separated records that
are easier to parse than the output of the -c flag:
The output is preceded by a comment
line that has details about the attribute represented in each colon-separated
field. If you specified the -a flag, the order of the attributes
matches the order specified in the -a flag. If a role does
not have a value for a given attribute, the field is still displayed
but is empty. The last field in each entry is ended by a newline character
rather than a colon. |
-f | Displays the output in stanzas, with each stanza identified
by a role name. Each Attribute=Value pair is
listed on a separate line:
|
-R load_module | Specifies the loadable module to list roles from. |
Item | Description |
---|---|
aix.security.role.list | Required to run the command. |
Files Accessed:
Mode | File |
---|---|
r | /etc/security/roles |
lsrole -c -a rolelist groups ManageAllUsers
Information
similar to the following appears: # role: rolelist:groups
ManageAllUsers: ManagerBasicUser:security
lsrole -R LDAP ManageAllUsers
All
the attribute information appears, with each attribute separated by
a blank space.Item | Description |
---|---|
/etc/security/roles | Contains the attributes of roles. |