AIX Runtime Expert and RBAC

AIX Runtime Expert authorizations

On installing the artex.base.rte fileset three system authorizations get created that allow different levels of access to the AIX Runtime Expert functionality:

• The aix.system.config.artex.read authorization allows the execution of the artexlist and artexmerge commands. The artexget and artexdiff commands are also allowed, but only to obtain the profile values. The values cannot be captured from the system (that is the artexget command cannot be run with the –r, –n or –p flags, and artexdiff command can only be run between two profiles).
• The aix.system.config.artex.get authorization allows all operations allowed by the artex.system.config.read authorization, and additionally allows the unrestricted execution of the artexget and artexdiff command.
• The aix.system.config.artex.set authorization allows all operations allowed by the artex.system.config.get authorization and additionally allows the execution of the artexset command.

AIX Runtime Expert roles

AIX Runtime Expert does not create any new role however the artex.base.rte filesets add the aix.system.config.artex authorization to the SysConfig role. Any user with SysConfig role or any enclosing role (such as the isso role) will be able to run the artexlist, artexmerge, artexdiff, artexget and artexset commands.

Restrictions

For security reasons, the use of the ARTEX_CATALOG_PATH environment variable is restricted to the root user. Non root users who are granted the right to execute the AIX Runtime Expert commands through the RBAC cannot use the ARTEX_CATALOG_PATH environment variable.