RBAC Authorizations

Authorizations are an important part of Role Based Access Control (RBAC). The operating system uses authorization strings to determine eligibility before performing a privileged operation. Related checks can be performed from within the code explicitly or can be done by the loader when running protected privileged executables.

The naming of authorization strings indicates the privileged operation that they represent and control. The AIX® naming convention for authorizations supports a hierarchical structure that is denoted by the authorization's textual name. AIX authorization strings use a dotted notation format to describe the authorization hierarchy. For example, the authorization to create new file systems is aix.fs.manage.create. If this authorization is included in a role, then a user who is assigned this role can create AIX filesystems. If the parent authorization aix.fs.manage is included in a role, then a user who is assigned this role can perform other file system management tasks as well as create filesystems.

AIX RBAC differentiates between system-provided authorizations (system-defined authorizations) and authorizations that are created after installation (user-defined authorizations).