How To
Summary
With Role-Back Access Control customers can define roles based on job function, so it can grant access to specific commands based on role assigned.
So for this example we are going to use two scenarios, the first is to create a new user and assign him/her the same Role as the padmin user, the second we will create a role that will grant access to a limited set of commands and assign them to a user that we will create
Objective
Steps
RBAC can be used to permit or deny existing/new users to run commands on the Virtual I/O server.
Each command on VIOS has specific authorization. Based on the requirement, the system administrator can specify set of commands' authorization that a user may be permitted to run on the VIOS.
The system administrator then may assign the role (that contains the authorizations that a user may be permitted to run) to a new or existing user.
- For detailed explanation of authorization on VIOS please review the RBAC Authorizations
1- Assigning padmin role to a user:
To view the Role assigned to the padmin user, you can run the command below:
$ lsuser padmin
padmin roles=PAdmin,CacheAdm default_roles=PAdmin,CacheAdm account_locked=false expires=0 histexpire=0 histsize=0 loginretries=0 maxage=0 maxexpired=-1 maxrepeats=8 minage=0 minalpha=0 mindiff=0 minlen=0 minother=0 pwdwarntime=0 registry=files SYSTEM=compat
From the output we can observe the padmin user is assigned two roles PAdmin and CacheAdm.
To view the authorization that each role has, the command below can be used:
$ lsrole PAdmin or $lsrole CacheAdm
$ lsrole PAdmin
PAdmin authorizations=vios.device,vios.fs,vios.install,vios.lvm,vios.network,vios.security,vios.system,vios.oemsetupenv,vios.system.cluster,aix.system.config.artex rolelist= groups=staff visibility=1 screens=* dfltmsg= msgcat= auth_mode=INVOKER id=23
$ lsrole CacheAdm
CacheAdm authorizations=cache.device.config,cache.device.manage rolelist= groups= visibility=1 screens=* dfltmsg=SSD Cache Device Administrator msgcat=cache_ssd.cat msgnum=5 msgset=3 auth_mode=INVOKER id=25
Current user roles (default rules):
$ lsuser User1
User1 roles=Admin default_roles=Admin account_locked=false expires=0 histexpire=0 histsize=0 loginretries=0 maxage=0 maxexpired=-1 maxrepeats=8 minage=0 minalpha=0 mindiff=0 minlen=0 minother=0 pwdwarntime=330 registry=files SYSTEM=compat
$ lsuser User2
user2 roles=Admin default_roles=Admin account_locked=false expires=0 histexpire=0 histsize=0 loginretries=0 maxage=0 maxexpired=-1 maxrepeats=8 minage=0 minalpha=0 mindiff=0 minlen=0 minother=0 pwdwarntime=330 registry=files SYSTEM=compat
Assign PAdmin and CacheAdm Roles to User2:
$ chuser -attr default_roles=PAdmin,CacheAdm roles=PAdmin,CacheAdm User2
$ lsuser User2
User2 roles=PAdmin,CacheAdm default_roles=PAdmin,CacheAdm account_locked=false expires=0 histexpire=0 histsize=0 loginretries=0 maxage=0 maxexpired=-1 maxrepeats=8 minage=0 minalpha=0 mindiff=0 minlen=0 minother=0 pwdwarntime=330 registry=files SYSTEM=compat
login using User1:
$ whoami
User1
$ oem_setup_env
Access to run command is not valid.
Login using User2:
$ whoami
User2
$ oem_setup_env
# whoami
root
2 - Creating and assigning a custom new role to a user:
In this scenario, a new custom role will be assigned to a user for user management purposes, this user can only create, remove, change user attributes, list or change a password for users.
As we have the list of commands that the user is permitted to run, we need to determine the authorization for each command the user can run, check This link for the list of authorization(s) that is available on VIOS.
Authorization(s) that will be required:
mkuser vios.security.user.create
chuser vios.security.user.change
rmuser vios.security.user.remove
lsuser vios.security.user.list
passwd vios.security.passwd
Creating a new Role (TestRole) and assign it to a new user (TestUser):
$ mkrole authorizations=vios.security.user.create,vios.security.user.change,vios.security.user.remove,vios.security.user.list,vios.security.passwd TestRole
$ lsrole -f TestRole
TestRole:
authorizations=vios.security.user.create,vios.security.user.change,vios.security.user.remove,vios.security.user.list,vios.security.passwd
rolelist=
groups=
visibility=1
screens=*
dfltmsg=
msgcat=
auth_mode=INVOKER
id=26
The command below will create the user and assign the TestRole to that user:
$ mkuser -attr roles=TestRole default_roles=TestRole TestUser
$ setkst
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Logout and login with the new user (TestUser) credentials:
$ whoami
TestUser
$ mkuser
Too few parameters.
Usage: mkuser [-ldap] [-de | -sr] [-attr Attributes=Value ...] Name
It returns the flags that can be used with the command, which means we can run the command.
If we tried to run the rmdev command, it will fail since it is not a command that the user has authorization to run:
$ rmdev
Access to run command is not valid.
Testing authorized TestUser commands:
$ whoami
TestUser
$ mkuser test
Changing password for "test"
test's New password:
Enter the new password again:
$ rmuser test
$ mkuser test2
Changing password for "test2"
test2's New password:
Enter the new password again:
$ passwd test2
Changing password for "test2"
test2's New password:
Enter the new password again:
$chuser -attr maxage=18 test2
$ lsuser test2
test2 roles=Admin default_roles=Admin account_locked=false expires=0 histexpire=0 histsize=0 loginretries=0 maxage=18 maxexpired=-1 maxrepeats=8 minage=0 minalpha=0 mindiff=0 minlen=0 minother=0 pwdwarntime=330 registry=files SYSTEM=compat
$ whoami
TestUser
$ lsmap -all
Access to run command is not valid.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
20 October 2021
UID
ibm10964834