Predefined roles

A predefined set of roles is defined in the local role database ( /etc/security/roles ) on the new AIX® Version 6.1 and later installation. This set of roles is intended to group typical administrative responsibilities.

This set of roles serves as a suggested means of dividing administrative duties. Role administrators can modify or remove these roles or create new roles as needed for their environment. The following lists the provided roles and a brief description of each role's abilities.

Role name Role description
auditadm Audit Administrator. The auditadm role is responsible for configuring the auditing and logging policies of the system, including system-wide, single-user, and single-role attributes. This role has access to viewing the audit trail.
fsadm File System Administrator. The fsadm role creates file systems and makes them available to users on the system. Some of the fsadm role responsibilities include:
  • Specifying mount policies
  • Sharing policies
  • Assigning quotas
  • Determining the level of compression
  • Establishing file system formats
  • Performing backup and restore activities
isso Information System Security Officer. An ISSO is responsible for creating and assigning roles and is therefore the most powerful role on the system. Some ISSO responsibilities include:
  • Establishing and maintaining security policy
  • Setting passwords for users
  • Network configuration
  • Device administration
pkgadm Software Package Administrator. The pkgadm role is responsible for the software that is installed on the system, and has default permissions to install, update, and remove system software.
sa System Administrator. The SA role provides functionality for daily administration and is responsible for:
  • User administration (except password setting)
  • File system administration
  • Software installation update
  • Network daemon management
  • Device allocation
secadm Security Administrator. The secadm role maintains the security settings on the system. The secadm assigns attributes like memberships in groups, roles, authorizations, and clearances to users and assigns roles that are not already specified with their roles. The secadm role also assigns security attributes to system objects, including RBAC settings, access control lists, ownership, and membership. Some of the responsibilities of the secadm role include the following:
  • Assigning passwords for new user accounts
  • Unlocking locked accounts
so System Operator. The SO role provides functionality for day to day operations and is responsible for:
  • System shutdown and reboot
  • File system backup, restore and quotas
  • System error logging, trace and statistics
  • Workload administration
svcadm Service Administrator. The svcadm role enables, configures, and disables system services. This role allows the configuring of networking attributes such as IP addresses, routes, host names, and firewall policies.
sysop System Operator. The sysop role maintains the overall system with permissions that include running system diagnostics and performing routine system maintenance. Some of the tasks that the sysop is responsible for include:
  • Purging log files and print queues
  • Stopping and restarting systems
useradm User Administrator. The useradm role is responsible for the higher level tasks related to user maintenance without managing passwords. The useradm creates, modifies, and deletes user accounts as defined by default security settings. This role also creates additional roles and groups with default security settings.