Contains the list of valid roles.
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used, except in the case of the id attribute. The id attribute must be specified and unique for each role in the file.
A stanza contains the following attributes:
| Attribute | Description |
|---|---|
| rolelist | Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user. |
| authorizations | Contains the list of additional authorizations acquired by the user for this specific role. |
| groups | Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective. |
| screens | Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens). |
| msgcat | Contains the file name of the message catalog that contains the one-line descriptions of system roles. |
| msgnum | Contains the message ID that retrieves this role description from the message catalog. |
| id | Specifies the unique numeric ID for the role. This is a required attribute when the system is in enhanced RBAC mode. This is used internally for security decisions. Do not modify the role ID after creating the role. |
| dfltmsg | Contains the default role-description text if message catalogs are not in use. |
| msgset | Contains the message set that contains the role description in the message catalog. |
| auth_mode | Specifies the authentication mode when you assume the role
using the swrole command when the system is in enhanced RBAC mode. The following
values are valid:
|
Do not directly edit the /etc/security/roles file. Use the following commands to manipulate the role database:
The mkrole command creates an entry for each new role in the /etc/security/roles file. To change the attribute values, use the chrole command. To display the attributes and their values, use the lsrole command. To remove a role, use the rmrole command.
When the system is operating in enhanced RBAC Mode, changes made to the roles file do not impact security considerations until the entire roles database is sent to the Kernel Security Tables through the setkst command or until the system is rebooted.
To write programs that affect attributes in the /etc/security/roles file, use the subroutines listed in Related Information.
The root user and the security group own this file. Read and write access is granted to the root user, and read access to members of the security group. Access for other users and groups depends on the security policy for the system.
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers: id = 110
dfltmsg = "Manage all users"
rolelist = ManageBasicUsers
authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin
groups = security
screens = mkuser,rmuser,!tcpip| Item | Description |
|---|---|
| /etc/security/roles | Contains the list of valid roles. |
| /etc/security/user.roles | Contains the list of roles for each user. |
| /etc/security/smitacl.group | Contains the group ACL definitions. |
| /etc/security/smitacl.user | Contains the user ACL definitions. |