chrole Command

Purpose

Changes role attributes.

Syntax

chrole [-R load_module] Attribute=Value ... Name

Description

The chrole command changes attributes for the role identified by the Name parameter. The role name must already exist. To change an attribute, specify the attribute name and the new value with the Attribute=Value parameter.

If you specify a single incorrect attribute or attribute value with the chrole command, the command does not change any attribute.

You can also use the System Management Interface Tool (SMIT) smit chrole fast path to run this command.

If the system is configured to use multiple domains for the role database, role modification is performed according to the order specified by the secorder attribute of the roles database stanza in the /etc/nscontrol.conf file. Only the first matching role is modified. Duplicate roles from the remaining domains are not modified. Use the -R flag to modify the role from a specific domain.

When the system is operating in enhanced Role Based Access Control (RBAC) mode, modifications made to the role database are not used for security considerations until the database is sent to the kernel security tables through the setkst command.

Flags

Item Description
-R load_module Specifies the loadable module to use for the role modification.

Attributes

If you have the proper authority, you can set the following user attributes:

Item Description
auditclasses List of roles's audit classes. The Value parameter is a list of comma-separated classes or a value of ALL to indicate all audit classes.
auth_mode Specifies the authentication that is required to assume the role when the swrole command is used. You can specify the following values:
NONE
No authentication is required.
INVOKER
The invoker of the swrole command is required to enter their own password to assume the role. The INVOKER value is the default value.
authorizations List of additional authorizations required for this role beyond those defined by the roles in the rolelist attribute. The Value parameter is a list of authorization names, separated by commas.
dfltmsg Contains the default role-description text to use if message catalogs are not in use.
groups List of groups to which a user should belong, in order to effectively use this role. This attribute is for information only and does not automatically make the user a member of the list of groups. The Value parameter is a list of group names, separated by commas.
hostsenabledrole Specifies the hosts which can download the role definition to the Kernel Role table by using the setkst command. This attribute must be used in a networked environment where the role attributes are shared by multiple hosts.
hostsdisabledrole Specifies the hosts which cannot download the role definition to the Kernel Role table using the setkst command. This attribute is intended to be used in a networked environment where the role attributes are shared by multiple hosts.
id Specifies the unique numeric ID for the role. You must specify the id attribute.

Attention: Do not modify the attribute value after the role is assigned to a user.

msgcat Contains the file name of the message catalog that holds the one-line descriptions of system roles. The Value parameter is a character string.
msgnum Contains the index into a message catalog for a description of the role. The Value parameter is an integer.
msgset Contains the message set that includes the role description in the message catalog.
rolelist Lists the roles implied by this role. The Value parameter is a list of role names, separated by commas.

When specified with the -R flag, the roles stanza in the nscontrol.conf file is overridden by the -R flag.

screens Lists the SMIT screen identifiers allowing roles to be mapped to various SMIT screens. The Value parameter is a list of SMIT screen identifiers, separated by commas.
visibility Specifies the role's visibility status to the system. The Value parameter is an integer. Possible values are:
1
The role is enabled, displayed, and selectable. Authorizations contained in this role are applied to the user. If the attribute does not exist or has no value, the default value is 1.
0
The role is enabled and displayed as existing, but not selectable through a visual interface. Authorizations contained in this role are applied to the user.
-1
The role is disabled. Authorizations contained in this role are not applied to the user.

Security

The chrole command is a privileged command. You must assume a role that has the following authorization to run the command successfully.
Item Description
aix.security.role.change Required to run the command.

Auditing Events

Event Information
ROLE_Change role, attribute

Files Accessed

Mode File
rw /etc/security/roles
r /etc/security/user.roles

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To change the authorizations of the ManagePasswds role to aix.security.passwd, use the following command:
    chrole authorizations=aix.security.passwd ManagePasswds
  2. To change the authorizations of the ManagePasswds role in LDAP to aix.security.passwd, use the following command:
    chrole -R LDAP authorizations=aix.security.passwd ManagePasswds 

Files

Item Description
/etc/security/roles Contains the attributes of roles.
/etc/security/user.roles Contains the role attribute of users.