[ Book Contents | Library Home | Legal | Search ]
System Management Concepts: Operating System and Devices

Understanding Authorizations

Authorizations are authority attributes for a user. These authorizations allow a user to do certain tasks. For example, a user with the UserAdmin authorization can create an administrative user by running the mkuser command. A user without this authority cannot create an administrative user.

There are two types of authorizations:

Primary Authorization Allows a user to execute a specific command. For example, RoleAdmin authorization is a primary authorization allowing a user administrator to execute the chrole command. Without this authorization, the command terminates without modifying the role definitions.
Authorization modifier Increases the capability of a user. For example, UserAdmin authorization is an authorization modifier that increases the capability of a user administrator belonging to the group security. Without this authorization, the mkuser command only creates non-administrative users. With this authorization, the mkuser command also creates administrative users.

The authorizations perform the following functions:

Backup Performs a system backup.

The following command uses the Backup authorization:

Backup Backs up files and file systems. The user administrator must have Backup authorization.
Diagnostics Allows a user to run diagnostics. This authority is also required to run diagnostic tasks directly from the command line.

The following command uses the Diagnostics authorization:

diag Runs diagnostics on selected resources. If the user administrator does not have Diagnostics authority, the command terminates.
GroupAdmin Performs the functions of the root user on group data.

The following commands use the GroupAdmin authorization:

chgroup Changes any group information. If the user does not have GroupAdmin authorization, they can only change non-administrative group information.
chgrpmem Administers all groups. If the group administrator does not have GroupAdmin authorization, they can only change the membership of the group they administer or a user in group security to administer any non-administrative group.
chsec Modifies administrative group data in the /etc/group and /etc/security/group files. The user can also modify the default: stanza values. If the user does not have GroupAdmin authorization, they can only modify non-administrative group data in the /etc/group and /etc/security/group files.
mkgroup Creates any group. If the user does not have GroupAdmin authorization, the user can only create non-administrative groups.
rmgroup Removes any group. If the user does not have GroupAdmin authorization, the user can only remove non-administrative groups.
ListAuditClasses Views the list of valid audit classes. The user administrator who uses this authorization does not have to be the root user or in group audit.

Use the smit mkuser or smit chuser fast path to list audit classes available to make or change a user. Enter the list of audit classes in the AUDIT classes field.

PasswdAdmin Performs the functions of the root user on password data.

The following commands use the PasswdAdmin authorization:

chsec Modifies the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the chsec command allows the user administrator to only modify the lastupdate and flags attribute of non-administrative users.
lssec Views the lastupdate and flags attributes of all users. Without the PasswdAdmin authorization, the lssec command allows the user administrator to only view the lastupdate and flags attribute of non-administrative users.
pwdadm Changes the password of all users. The user administrator must be in group security.
PasswdManage Performs password administration functions on non-administrative users.

The following command uses the PasswdManage authorization:

pwdadm Changes the password of a non-administrative user. The administrator must be in group security or have the PasswdManage authorization.
UserAdmin Performs the functions of the root user on user data. Only users with UserAdmin authorization can modify the role information of a user. You cannot access or modify user auditing information with this authorization.

The following commands use the UserAdmin authorization:

chfn Changes any user's gecos (general information) field. If the user does not have UserAdmin authorization but is in group security, they can change any non-administrative user's gecos field. Otherwise, users can only change their own gecos field.
chsec Modifies administrative user data in the /etc/passwd, /etc/security/environ, /etc/security/lastlog, /etc/security/limits, and /etc/security/user files including the roles attribute. The user administrator can also modify the default: stanza values and the /usr/lib/security/mkuser.default file, excluding the auditclasses attributes.
chuser Changes any user's information except for the auditclasses attribute. If the user does not have UserAdmin authorization, they can only change non-administrative user information, except for the auditclasses and roles attributes.
mkuser Creates any user, except for the auditclasses attribute. If the user does not have UserAdmin authorization, the user can only create non-administrative users, except for the auditclasses and roles attributes.
rmuser Removes any user. If the user administrator does not have UserAdmin authorization, they can only create non-administrative users.
UserAudit Allows the user to modify user-auditing information.

The following commands use the UserAudit authorization:

chsec Modifies the auditclasses attribute of the mkuser.default file for non-administrative users. If the user has UserAdmin authorization, they can also modify the auditclasses attribute of the mkuser.default file for administrative and non-administrative users.
chuser Modifies the auditclasses attribute of a non-administrative user. If the user administrator has UserAdmin authorization, they can also modify the auditclasses attribute of all users.
lsuser Views the auditclasses attribute of a non-administrative user if the user is root user or in group security. If the user has UserAdmin authorization, they can also view the auditclasses attribute of all users.
mkuser Creates a new user and allows user administrator to assign the auditclasses attribute of a non-administrative user. If the user has UserAdmin authorization, they can also modify the auditclasses attribute of all users.
RoleAdmin Performs the functions of the root user on role data.

The following commands use the RoleAdmin authorization:

chrole Modifies a role. If the user administrator does not have the RoleAdmin authorization, the command terminates.
lsrole Views a role.
mkrole Creates a role. If the user administrator does not have the RoleAdmin authorization, the command terminates.
rmrole Removes a role. If the user administrator does not have the RoleAdmin authorization, the command terminates.
Restore Performs a system restoration.

The following command uses the Restore authorization:

Restore Restores backed-up files. The user administrator must have Restore authorization.

See "Command to Authorization List" in the AIX Version 4.3 System Management Guide: Operating System and Devices for a mapping of commands to authorizations.


[ Book Contents | Library Home | Legal | Search ]