Role-based Access Control in VIO:
The concepts of RBAC in VIO and AIX are the same, but the syntax is slightly different.
How to assign a role to a user:
Method 1: When you create the user
$ mkuser -attr roles=PAdmin user1
Methos 2: After creating a user
$ chuser -attr roles=PAdmin user1
Some error messages may contain invalid information
for the Virtual I/O Server environment.
3004-692 Error changing "roles" to "PAdmin" : Value is invalid.
Command did not complete.
"Changing user" was last subcommand run.
In order to get around this, just nullify the default_users. This is the right syntax:
$ chuser -attr roles=PAdmin default_roles="" user1
How to use the role:
Logon to user VIO server by the user you just created
List my roles:
$ rolelist -a
Show my effective roles at the moment:
$ rolelist -e
rolelist: 1420-062 There is no active role set.
It means I don't have the padmin privileges yet. For example, I am not able to run the mount command:
Access to run command is not valid.
So I need to "switch" to the role to make it effective (this will ask my password for security reasons and creates a sub-shell):
$ swrole - PAdmin
Now "PAdmin" is an effective role:
$ rolelist -e
I am still user1:
But I possess the PAdmin privileges and even can go to the oem_setup_env:
To come back to the normal non-privileged mode, just exit or press Ctrl-D.
$ lsuser user1
user1 roles=Admin default_roles=Admin account_locked=false expires=0 histexpire=0 histsize=0 loginretries=0 maxage=0 maxexpired=-1 maxrepeats=8 minage=0 minalpha=0 mindiff=0 minlen=0 minother=0 pwdwarntime=330 registry=files SYSTEM=compat
When you create a user, the default role is "Admin" (which is different from PAdmin). But in my opinion it is too much for a default user setting.
I have extracted the following privileges from "lsrole Admin" commands:
Above privileges allow an ordinary user change some parts of the VIO configuration (like unmounting a filesystem, lvm remove, etc.). So beware of this.
As a good practice, you may user ViewOnly as the initial role, or even you can make it blank:
$ mkuser -attr roles=ViewOnly default_roles="" user2
$ mkuser -attr roles="" default_roles="" user3