mkrole Command

Purpose

Creates new roles. This command applies only to AIX® 4.2.1 and later.

Syntax

mkrole [-R load_module] [ Attribute=Value ... ] Name

Description

The mkrole command creates a new role. The Name parameter must be a unique role name. You cannot use the ALL or default keywords as the role name.

You can use the Users application in Web-based System Manager to change user characteristics. You could also use the System Management Interface Tool (SMIT) to run this command.

If the system is configured to use multiple domains for the role database, the new role is created in the first domain specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. Use the -R flag to create a role in a specific domain.

Every role must have a unique role ID that is used for security decisions. If the id attribute is not specified when a role is created, the mkrole command automatically assigns a unique ID to the role.

When the system is operating in enhanced (RBAC) mode, roles created in the role database can be immediately assigned to users but are not used for security considerations until the database is sent to the kernel security tables using the setkst command.

Flags

Item	Description
-R load_module	Specifies the loadable module to use for role creation.

Parameters

Item	Description
Attribute=Value	Initializes a role attribute. Refer to the chrole command for the valid attributes and values.
Names	Specifies a unique role name string. Restrictions on Creating Role Names To prevent inconsistencies, restrict role names to characters with the POSIX portable filename character set. You cannot use the keywords ALL or default as a role name. Additionally, do not use any of the following characters within a role-name string: : (colon) " (quotation mark) # (pound sign) , (comma) = (equal sign) \ (backslash) / (forward slash) ? (question mark) ' (single quotation mark) ˋ (back quotation mark) Restriction: The Name parameter cannot contain any space, tab, or newline characters.

Item

Description

Attribute=Value

Initializes a role attribute. Refer to the chrole command for the valid attributes and values.

Names

Specifies a unique role name string.

Restrictions on Creating Role Names

To prevent inconsistencies, restrict role names to characters with the POSIX portable filename character set. You cannot use the keywords ALL or default as a role name. Additionally, do not use any of the following characters within a role-name string:

: (colon)
" (quotation mark)
# (pound sign)
, (comma)
= (equal sign)
\ (backslash)
/ (forward slash)
? (question mark)
' (single quotation mark)
ˋ (back quotation mark)

Restriction: The Name parameter cannot contain any space, tab, or newline characters.

Security

The mkrole command is a privileged command. You must assume a role that has the following authorization to run the command successfully.

Item	Description
aix.security.role.create	Required to run the command.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed:

Mode	File
rw	/etc/security/roles
r	/etc/security/user.roles

Auditing Events:

Event	Information
ROLE_Create	role

Examples

To create the ManageRoles role and have the command automatically generate a role ID, use the following command:
```
mkrole authorizations=aix.security.role ManageRoles
```
To create the ManageRoles role in LDAP, use the following command:
```
mkrole -R LDAP authorizations=aix.security.role manageRoles
```

Files

Item	Description
/etc/security/roles	Contains the attributes of roles.
/etc/security/user.roles	Contains the role attribute of users.