rmrole Command

Purpose

Removes a role. This command applies only to AIX® 4.2.1 and later.

Syntax

rmrole [-R load_module] Name

Description

The rmrole command removes the role identified by the Name parameter from the /etc/security/roles file. The role name must already exist.

You can use Web-based System Manager Users application or the System Management Interface Tool (SMIT) to run this command.

If the system is configured to use databases from multiple domains, the rmrole command finds the first match from the database domains in the order that it was specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. Meanwhile, the rmrole command removes the role entry from the domain. If any matching roles from the rest of the domains exist, they are not affected. Use the -R flag to remove a role from a specific domain.

When the system is operating in enhanced role based access control (RBAC) mode, roles removed from the role database still exist in the kernel security tables (KST) until the KST is updated with the setkst command.

Flags

Item Description
-R load_module Specifies the loadable module to use for role deletion.

Security

The rmrole command is a privileged command. You must have the aix.security.role.remove authorization to run the command:
Item Description
aix.security.role.remove Required to run the command.

Files Accessed:

Mode File
rw /etc/security/roles
r /etc/security/user.roles

Auditing Events:

Event Information
ROLE_Remove role

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To remove the ManageObjects role, use the following command:
    rmrole ManageObjects
  2. To remove the ManageRoles role from LDAP, use the following command:
    rmrole -R LDAP ManageRoles

Files

Item Description
/etc/security/roles Contains the attributes of roles.
/etc/security/user.roles Contains the role attribute of users.