Activating a role

By default in AIX Version 6.1 and later with enhanced RBAC, when a user authenticates to the system, the user’s session does not have any associated roles or authorizations. In order to associate roles to the session, the user must invoke a separate authentication command (the swrole command) to switch to the role or roles.

The user can only activate roles that have previously been assigned to the user. By default, a user is required to authenticate as themselves when entering a role session or when adding a role to their session. Roles can optionally be designated to not require authentication with the auth_mode role attribute.

Switching to a new role session creates a new shell (session) without inheriting roles from the prior session. This is accomplished by creating a new process shell for the role and assigning the new role ID (RID) to the process. Creation of the new session is similar to using the su command except in this case only the role ID of the process is changed and not characteristics such as the UID or GID. The swrole command allows the user to create a role session composed of a single role or multiple roles. There is no restriction to prevent a user from switching to a new role session from the current role session. Since the new session is a new process, the new session will not inherit any roles from the prior session. In order to restore the previous session, the user must exit the current role session. The roles assumed in a session (the active role set) can be listed by running the rolelist command in the session. An administrator can also use the rolelist command to list the active role set for a given system process.

A user can optionally be assigned a default set of roles with the new default_roles user attribute. This attribute is intended for situations where processes that are created on behalf of a user always need to be associated with a given set of roles, for example, the cron command. The cron facility runs in the background and runs commands as the defined user. It is possible that some of the commands that are run may require authorizations. This requires the ability to designate that a set of roles always be active for a user ID since there is no mechanism for the cron command to later acquire these roles. The default_roles attribute can be set to include up to eight role names or the special value of ALL. Setting default_roles=ALL assigns all of the user's roles to the session. If the user has been assigned more then eight roles, then only the first eight roles will be enabled for the session.