This blog, written by Michael Felt, discusses AIX security topics. Articles on IBM AIX security including PowerSC, AIX RBAC, AIX shell scripting, passwords and user security. RBAC or Role Based Access Control has been available in AIX since starting with AIX Prior to that, access control is AIX was the same as for any .
|Published (Last):||12 January 2005|
|PDF File Size:||16.97 Mb|
|ePub File Size:||4.20 Mb|
|Price:||Free* [*Free Regsitration Required]|
How-to Integrate Applications Into AIX RBAC
Yes, access control DAC, or discretionary access controlbut no role based management of lists of authorizations or priviledges to execute sets of commands. Further articles will discuss the implementation and usage of extended RBAC. New installations will have extended RBAC activated by default. Legacy RBAC provides several pre-defined roles that can be setup administrative users that can perform specialised tasks without any need for root access.
Legacy RBAC also provides a framework for extending the pre-defined roles but it is quite difficult to use. Extended RBAC is granular. The data is stored in “flat-file text” so no additional database management engine is needed to use enhanced RBAC. There are five 5 components to the RBAC security database:. Basically, qix enhanced RBAC we need to distinquish three concepts: Authorizations, Roles, and Privileges.
The basic question is: If he has access to an authorization s similiar to a key to open an otherwise locked door s the task can be performed.
Otherwise the task or resource remains unaccessible.
A role is a list of all the authorizations needed to complete a task. Authorizations get assigned to one or more roles; roles get assigned to users. A priviledge is an explicit access granted to a command, device, or file. Priviledges are assigned to users.
The ISSO role manages all other roles. This makes it the most powerful role on the system. Some of the ISSO tasks or responsibilities are:. Systems based on DAC have a concepts of objects, owners, groups and others. Every object is owned by a single user, with additional access controlled via group membership group permissionsor anyone else others, i.
The owner has the privlidge discretion or right to determine who has access to an object i. Also, the owner can modify object accessibility at any time i.
The system works by having front-end programs that are accessible via group or other permission bits. The first task of this role-based program is to verify that the user has the appropriate role to use the program. Each program verifies the users roles e.
Although easy to use and manage by a system administrator, it was very difficult to adopt to programs not specifically coded to use the AIX Role mechanism and has remained limited to common tasks: The great advantage is that these tasks could be performed by users who were neither system administrators in the strict sense nor did they ever gain root access prompt.
AIX for System Administrators
Rbaac who considered this approach too limited generally opted for the package sudo – and accepted both the additional risks and workload associated with it use and administration. There are five 5 components to the RBAC security database: Some of the ISSO tasks or responsibilities are: Establishing and rbxc security policy Setting passwords for users Network configuration Device administration SA – Systems Administrator The SA role provides authorizations for daily administration and includes: User administration except password setting File system administration Software installation update Network daemon management Device allocation SO – System Operator The SO role provides the authorizations for day to day operations and includes: Written by Michael Felt.
System shutdown and reboot Aic system backup, restore and quotas System error logging, trace and statistics Workload administration.