lsrole Command

Purpose

Displays role attributes.

Syntax

lsrole [-R load_module] [ -c | -f | -C] [ -a List ] { ALL | Name [ ,Name ] ... }

Description

The lsrole command displays the role attributes. You can use this command to list all attributes of all the roles or all the attributes of specific roles. Since there is no default parameter, you must enter the ALL keyword to see the attributes of all the roles. By default, the lsrole command displays all role attributes. To view selected attributes, use the -a List flag. If one or more attributes cannot be read, the lsrole command lists as much information as possible.

By default, the lsrole command lists each role's attributes on one line. It displays attribute information as Attribute=Value definitions, each separated by a blank space. To list the role attributes in stanza format, use the -f flag. To list the information as colon-separated records, use the -c flag.

You can use the System Management Interface Tool (SMIT) smit lsrole fast path to run this command.

If the system is configured to use multiple domains for the role database, the roles, as specified by the Name parameter, are searched from the domains in the order specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. If duplicate entries exist in multiple domains, only the first entry instance is listed. Use the -R flag to list the roles from a specific domain.

The lsrole command only lists the role definitions available in the roles database. If the system is operating in enhanced Role Based Access Control (RBAC) mode, the information in the roles database might differ from what is used for security considerations on the system in the kernel security tables (KST). To view the state of the roles database in the KST, use the lskst command.

Flags

Item	Description
-a List	Lists the attributes to display. The List variable can include any attribute that is defined in the chrole command. Specify more than one attributes with a blank space between attribute names. If an empty list is specified, only the role names are displayed. In addition to the attributes defined in the chrole command, the following attributes can also be listed with the -a flag: all_auths Traverses the role hierarchy of the specified roles and gathers all the authorizations. The all_auths attribute differs from the authorizations attribute because the lsrole command only lists the explicit authorizations of the specified roles for that attribute. users Displays the users that are granted the specified roles. description Displays the text description of the role as indicated by the dfltmsg, msgcat, msgset and msgnum attributes for the role.
-c	Displays the role attributes in colon-separated records, as follows: `# role: attribute1: attribute2: ... Role: value1: value2: ...`
-C	Displays the role attributes in colon-separated records that are easier to parse than the output of the -c flag: `#role:attribute1:attribute2: ... role:value1:value2: ... role2:value1:value2: ...` The output is preceded by a comment line that has details about the attribute represented in each colon-separated field. If you specified the -a flag, the order of the attributes matches the order specified in the -a flag. If a role does not have a value for a given attribute, the field is still displayed but is empty. The last field in each entry is ended by a newline character rather than a colon.
-f	Displays the output in stanzas, with each stanza identified by a role name. Each Attribute=Value pair is listed on a separate line: `Role: attribute1=value attribute2=value attribute3=value`
-R load_module	Specifies the loadable module to list roles from.

Security

The lsrole command is a privileged command. You must assume a role that has the following authorization to run the command successfully.

Item	Description
aix.security.role.list	Required to run the command.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed:

Mode	File
r	/etc/security/roles

Examples

To display the role rolelist and groups of the role ManageAllUsers in a colon format, use the following command:
```
lsrole -c -a rolelist groups ManageAllUsers
```
Information similar to the following appears:
```
# role: rolelist:groups
 ManageAllUsers: ManagerBasicUser:security
```
To list all attributes of the ManageAllUsers role from LDAP, use the following command:
```
lsrole -R LDAP ManageAllUsers
```
All the attribute information appears, with each attribute separated by a blank space.

Files

Item	Description
/etc/security/roles	Contains the attributes of roles.