lsrole Command

Purpose

Displays role attributes. This command applies only to AIX® 4.2.1 and later.

Syntax

lsrole [-R load_module] [ -c | -f | -C] [ -a List ] { ALL | Name [ ,Name ] ... }

Description

The lsrole command displays the role attributes. You can use this command to list all attributes of all the roles or all the attributes of specific roles. Since there is no default parameter, you must enter the ALL keyword to see the attributes of all the roles. By default, the lsrole command displays all role attributes. To view selected attributes, use the -a List flag. If one or more attributes cannot be read, the lsrole command lists as much information as possible.

By default, the lsrole command lists each role's attributes on one line. It displays attribute information as Attribute=Value definitions, each separated by a blank space. To list the role attributes in stanza format, use the -f flag. To list the information as colon-separated records, use the -c flag.

You can use the Users application in Web-based System Manager (wsm) to change user characteristics. You could also use the System Management Interface Tool (SMIT) to run this command.

If the system is configured to use multiple domains for the role database, the roles, as specified by the Name parameter, are searched from the domains in the order specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. If duplicate entries exist in multiple domains, only the first entry instance is listed. Use the -R flag to list the roles from a specific domain.

The lsrole command only lists the role definitions available in the roles database. If the system is operating in enhanced Role Based Access Control (RBAC) mode, the information in the roles database might differ from what is used for security considerations on the system in the kernel security tables (KST). To view the state of the roles database in the KST, use the lskst command.

Flags

Item Description
-a List Lists the attributes to display. The List variable can include any attribute that is defined in the chrole command. Specify more than one attributes with a blank space between attribute names. If an empty list is specified, only the role names are displayed. In addition to the attributes defined in the chrole command, the following attributes can also be listed with the -a flag:
all_auths
Traverses the role hierarchy of the specified roles and gathers all the authorizations. The all_auths attribute differs from the authorizations attribute because the lsrole command only lists the explicit authorizations of the specified roles for that attribute.
users
Displays the users that are granted the specified roles.
description
Displays the text description of the role as indicated by the dfltmsg, msgcat, msgset and msgnum attributes for the role.
-c Displays the role attributes in colon-separated records, as follows:
# role:  attribute1:  attribute2:  ... 
  Role:  value1:      value2:      ...
-C Displays the role attributes in colon-separated records that are easier to parse than the output of the -c flag:
#role:attribute1:attribute2: ...
role:value1:value2: ...
role2:value1:value2: ...
The output is preceded by a comment line that has details about the attribute represented in each colon-separated field. If you specified the -a flag, the order of the attributes matches the order specified in the -a flag. If a role does not have a value for a given attribute, the field is still displayed but is empty. The last field in each entry is ended by a newline character rather than a colon.
-f Displays the output in stanzas, with each stanza identified by a role name. Each Attribute=Value pair is listed on a separate line:
Role:
       attribute1=value
       attribute2=value
       attribute3=value
-R load_module Specifies the loadable module to list roles from.

Security

The lsrole command is a privileged command. You must assume a role that has the following authorization to run the command successfully.
Item Description
aix.security.role.list Required to run the command.
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed:

Mode File
r /etc/security/roles

Examples

  1. To display the role rolelist and groups of the role ManageAllUsers in a colon format, use the following command:
    lsrole -c -a rolelist groups ManageAllUsers
    Information similar to the following appears:
    # role: rolelist:groups
     ManageAllUsers: ManagerBasicUser:security
  2. To list all attributes of the ManageAllUsers role from LDAP, use the following command:
    lsrole -R LDAP ManageAllUsers
    All the attribute information appears, with each attribute separated by a blank space.

Files

Item Description
/etc/security/roles Contains the attributes of roles.