mkrole Command

Purpose

Creates new roles. This command applies only to AIX® 4.2.1 and later.

Syntax

mkrole [-R load_module] [ Attribute=Value ... ] Name

Description

The mkrole command creates a new role. The Name parameter must be a unique role name. You cannot use the ALL or default keywords as the role name.

You can use the Users application in Web-based System Manager to change user characteristics. You could also use the System Management Interface Tool (SMIT) to run this command.

If the system is configured to use multiple domains for the role database, the new role is created in the first domain specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. Use the -R flag to create a role in a specific domain.

Every role must have a unique role ID that is used for security decisions. If the id attribute is not specified when a role is created, the mkrole command automatically assigns a unique ID to the role.

When the system is operating in enhanced (RBAC) mode, roles created in the role database can be immediately assigned to users but are not used for security considerations until the database is sent to the kernel security tables using the setkst command.

Flags

Item Description
-R load_module Specifies the loadable module to use for role creation.

Parameters

Item Description
Attribute=Value Initializes a role attribute. Refer to the chrole command for the valid attributes and values.
Names Specifies a unique role name string.

Restrictions on Creating Role Names

To prevent inconsistencies, restrict role names to characters with the POSIX portable filename character set. You cannot use the keywords ALL or default as a role name. Additionally, do not use any of the following characters within a role-name string:
  • : (colon)
  • " (quotation mark)
  • # (pound sign)
  • , (comma)
  • = (equal sign)
  • \ (backslash)
  • / (forward slash)
  • ? (question mark)
  • ' (single quotation mark)
  • ˋ (back quotation mark)
Restriction: The Name parameter cannot contain any space, tab, or newline characters.

Security

The mkrole command is a privileged command. You must assume a role that has the following authorization to run the command successfully.
Item Description
aix.security.role.create Required to run the command.
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed:

Mode File
rw /etc/security/roles
r /etc/security/user.roles

Auditing Events:

Event Information
ROLE_Create role

Examples

  1. To create the ManageRoles role and have the command automatically generate a role ID, use the following command:
    mkrole authorizations=aix.security.role ManageRoles
  2. To create the ManageRoles role in LDAP, use the following command:
    mkrole -R LDAP authorizations=aix.security.role manageRoles

Files

Item Description
/etc/security/roles Contains the attributes of roles.
/etc/security/user.roles Contains the role attribute of users.