Posted in SRP, tagged srp on April 26, 2010|
Leave a Comment »
Constrains that limit access to resources usually fit into 3 categories:
- Subject: The entity attempting to access the resource, under OS usually is a user or a process associated with a user
- Operation: An action performed on a resource, under OS usually is an application or a command — hpux.user.add
- Object: The target of the operation
———————————————————————————————————————————————————-
RBAC addresses these issues by grouping users with common authorization needs into roles.
Example operation after invoking privrun:::::
———————————————————————————————————————————————————-
Three steps to deploy RBAC::::::
- Plan roles for users
- Plan authorizations for the roles
- Plan the authorization to command mappings
Three steps to configure RBAC:::::::
- Configure the roles::::::: roleadm to manage roles under HPUX, add/delete/modify/assign/revoke/list…
- Configure the authorizations::::::: authadm to manage authorizations under HPUX, add/delete/assign/revoke/list…
- Configure any additional commands:::::: cmdprivadm to edit a command’s authorization and privilege information, add/delete…
———————————————————————————————————————————————————-
RBAC can also use compartments to configure applications to run in a particular compartment.
Use only cmdprivadm command to configure compartments for commands, do not edit the /etc/rbac/cmd_priv directly, to update,
first delete the entry and then add the updated version back in.
Read Full Post »