mkrole Command

Purpose

Creates new roles.

Syntax

mkrole [-R load_module] Attribute=Value [ Attribute=Value ... ] Name

Description

The mkrole command creates a new role. The Name parameter must be a unique role name. You cannot use the ALL or default keywords as the role name.

You can use the System Management Interface Tool (SMIT) smit mkrole fast path to run this command.

If the system is configured to use multiple domains for the role database, the new role is created in the first domain specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. Use the -R flag to create a role in a specific domain.

Every role must have a unique role ID that is used for security decisions. If the id attribute is not specified when a role is created, the mkrole command automatically assigns a unique ID to the role.

When the system is operating in enhanced (RBAC) mode, roles created in the role database can be immediately assigned to users but are not used for security considerations until the database is sent to the kernel security tables using the setkst command.

Flags

Item	Description
-R load_module	Specifies the loadable module to use for role creation.

Parameters

Item	Description
Attribute=Value	Initializes a role attribute. Refer to the chrole command for the valid attributes and values.
Names	Specifies a unique role name string. Restrictions on Creating Role Names The Name parameter that you specify must be unique, and can be a maximum of 63 single-byte printable characters. To prevent inconsistencies, restrict role names to characters with the POSIX portable filename character set. You cannot use the keywords ALL or default as a role name. Additionally, do not use any of the following characters within a role-name string: : (colon) " (quotation mark) # (pound sign) , (comma) = (equal sign) \ (backslash) / (forward slash) ? (question mark) ' (single quotation mark) ˋ (back quotation mark) Restriction: The Name parameter cannot contain any space, tab, or newline characters.

Item

Description

Attribute=Value

Initializes a role attribute. Refer to the chrole command for the valid attributes and values.

Names

Specifies a unique role name string.

Restrictions on Creating Role Names

The Name parameter that you specify must be unique, and can be a maximum of 63 single-byte printable characters. To prevent inconsistencies, restrict role names to characters with the POSIX portable filename character set. You cannot use the keywords ALL or default as a role name. Additionally, do not use any of the following characters within a role-name string:

: (colon)
" (quotation mark)
# (pound sign)
, (comma)
= (equal sign)
\ (backslash)
/ (forward slash)
? (question mark)
' (single quotation mark)
ˋ (back quotation mark)

Restriction: The Name parameter cannot contain any space, tab, or newline characters.

Security

The mkrole command is a privileged command. You must assume a role that has the following authorization to run the command successfully.

Item	Description
aix.security.role.create	Required to run the command.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Files Accessed:

Mode	File
rw	/etc/security/roles
r	/etc/security/user.roles

Auditing Events:

Event	Information
ROLE_Create	role

Examples

To create the ManageRoles role and have the command automatically generate a role ID, use the following command:
```
mkrole authorizations=aix.security.role ManageRoles
```
To create the ManageRoles role in LDAP, use the following command:
```
mkrole -R LDAP authorizations=aix.security.role manageRoles
```

Files

Item	Description
/etc/security/roles	Contains the attributes of roles.
/etc/security/user.roles	Contains the role attribute of users.