rmrole Command

Purpose

Removes a role.

Syntax

rmrole [-R load_module] Name

Description

The rmrole command removes the role identified by the Name parameter from the /etc/security/roles file. The role name must already exist.

You can use the System Management Interface Tool (SMIT) to run the rmrole command.

If the system is configured to use databases from multiple domains, the rmrole command finds the first match from the database domains in the order that it was specified by the secorder attribute of the roles stanza in the /etc/nscontrol.conf file. Meanwhile, the rmrole command removes the role entry from the domain. If any matching roles from the rest of the domains exist, they are not affected. Use the -R flag to remove a role from a specific domain.

When the system is operating in enhanced role based access control (RBAC) mode, roles removed from the role database still exist in the kernel security tables (KST) until the KST is updated with the setkst command.

Flags

Security

Files Accessed:

Auditing Events:

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

1. To remove the ManageObjects role, use the following command:

   rmrole ManageObjects

2. To remove the ManageRoles role from LDAP, use the following command:

   rmrole -R LDAP ManageRoles

Files