mkrole command
Purpose
Creates new roles.
Syntax
mkrole [-R load_module] [ Attribute=Value ... ] Name
Description
The mkrole command creates a new role. The Name parameter must be a unique role name. You cannot use the ALL or default keywords as the role name.
You can use the Users application in Web-based System Manager to change user characteristics. You could also use the System Management Interface Tool (SMIT) to run this command.
If the system is configured to use multiple domains for the role database, the new role is created in the first domain specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. Use the -R flag to create a role in a specific domain.
Every role must have a unique role ID that is used for security decisions. If the id attribute is not specified when a role is created, the mkrole command automatically assigns a unique ID to the role.
When the system is operating in enhanced (RBAC) mode, roles created in the role database can be immediately assigned to users but are not used for security considerations until the database is sent to the kernel security tables using the setkst command.
Flags
Item | Description |
---|---|
-R load_module | Specifies the loadable module to use for role creation. |
Parameters
Item | Description |
---|---|
Attribute=Value | Initializes a role attribute. Refer to the chrole command for the valid attributes and values. |
Names | Specifies a unique role name string. Restrictions on Creating Role Names To prevent inconsistencies, restrict role names
to characters with the POSIX portable filename character set. You
cannot use the keywords ALL or default as a role name.
Additionally, do not use any of the following characters within a
role-name string:
Restriction: The Name parameter
cannot contain any space, tab, or newline characters.
|
Security
Item | Description |
---|---|
aix.security.role.create vios.security.role.create | Required to run the command. |
Files Accessed:
Mode | File |
---|---|
rw | /etc/security/roles |
r | /etc/security/user.roles |
Auditing Events:
Event | Information |
---|---|
ROLE_Create | role |
Examples
- To create the ManageRoles role and have the command automatically
generate a role ID, use the following command:
mkrole authorizations=aix.security.role ManageRoles
- To create the ManageRoles role in LDAP, use the following
command:
mkrole -R LDAP authorizations=aix.security.role manageRoles
Files
Item | Description |
---|---|
/etc/security/roles | Contains the attributes of roles. |
/etc/security/user.roles | Contains the role attribute of users. |