Using role-based access control with the Virtual I/O Server
With Virtual I/O Server Version 2.2, and later, a system administrator can define roles based on job functions in an organization by using role-based access control (RBAC).
A system administrator can use role-based access control (RBAC) to define roles for users in the Virtual I/O Server. A role confers a set of permissions or authorizations to the assigned user. Thus, a user can only perform a specific set of system functions depending on the access rights that are given. For example, if the system administrator creates the role UserManagement with authorization to access user management commands and assigns this role to a user, that user can manage users on the system but has no further access rights.
The benefits of using role-based access control with the Virtual I/O Server are as follows:
- Splitting system management functions
- Providing better security by granting only necessary access rights to users
- Implementing and enforcing system management and access control consistently
- Managing and auditing system functions with ease
Authorizations
The Virtual I/O Server creates authorizations that closely emulate the authorizations of the AIX® operating system. The authorizations emulate naming conventions and descriptions, but are only applicable to the Virtual I/O Server specific requirements. By default, the padmin user is granted all the authorizations on the Virtual I/O Server, and can run all the commands. The other types of users (created by using the mkuser command) retain their command execution permissions.
The mkauth command creates a new user-defined authorization in the authorization database. You can create authorization hierarchies by using a dot (.) in the auth parameter to create an authorization of the form ParentAuth.SubParentAuth.SubSubParentAuth.... All parent elements in the auth parameter must exist in the authorization database before the authorization is created. The maximum number of parent elements that you can use to create an authorization is eight.
You can set authorization attributes when you create authorizations through the Attribute=Value parameter. Every authorization that you create must have a value for the id authorization attribute. If you do not specify the id attribute using the mkauth command, the command automatically generates a unique ID for the authorization. If you specify an ID, the value must be unique and greater than 15000. The IDs 1 - 15000 are reserved for system-defined authorizations.
Unlike in the AIX operating system, users cannot create authorizations for all Virtual I/O Server commands. In the AIX operating system, an authorized user can create a hierarchy of authorizations for all the commands. However, in the Virtual I/O Server, authorizations can only be created for the commands or scripts owned by the user. Users cannot create any authorizations that start with vios. or aix. since they are considered system-defined authorizations. Hence, users cannot add any further hierarchies to these authorizations.
Authorization names must not begin with a dash (-), plus sign (+), at sign (@), or tilde (~). They must not contain spaces, tabs, or newline characters. You cannot use the keywords ALL, default, ALLOW_OWNER, ALLOW_GROUP, ALLOW_ALL, or an asterisk (*) as an authorization name. Do not use the following characters within an authorization string:
- : (colon)
- " (quotation mark)
- # (number sign)
- , (comma)
- = (equal sign)
- \ (backslash)
- / (forward slash)
- ? (question mark)
- ' (single quotation mark)
- ` (grave accent)
The following table lists the authorizations corresponding to the Virtual I/O Server commands. The vios and subsequent child authorizations, for example, vios and vios.device are not used. If a user is given a role that has either the parent or subsequent child authorization, for example, vios or vios.device, that user will have access to all the subsequent children authorizations and their related commands. For example, a role with the authorization vios.device, gives the user access to all vios.device.config and vios.device.manage authorizations and their related commands.
Command | Command options | Authorization |
---|---|---|
activatevg | All | vios.lvm.manage.varyon |
alert | All | vios.system.cluster.alert |
alt_root_vg | All | vios.lvm.change.altrootvg |
artexdiff | All | vios.system.rtexpert.diff |
artexget | All | vios.system.rtexpert.get |
artexlist | All | vios.system.rtexpert.list |
artexmerge | All | vios.system.rtexpert.merge |
artexset | All | vios.system.rtexpert.set |
backup | All | vios.fs.backup |
backupios | All | vios.install.backup |
bootlist | All | vios.install.bootlist |
cattracerpt | All | vios.system.trace.format |
cfgassist | All | vios.security.cfgassist |
cfgdev | All | vios.device.config |
cfglnagg | All | vios.network.config.lnagg |
cfgnamesrv | All | vios.system.dns |
cfgsvc | All | vios.system.config.agent |
chauth | All | vios.security.auth.change |
chbdsp | All | vios.device.manage.backing.change |
chdate | All | vios.system.config.date.change |
chdev | All | vios.device.manage.change |
checkfs | All | vios.fs.check |
chedition | All | vios.system.edition |
chkdev | All | vios.device.manage.check |
chlang | All | vios.system.config.locale |
chlv | All | vios.lvm.manage.change |
chpath | All | vios.device.manage.path.change |
chrep | All | vios.device.manage.repos.change |
chrole | All | vios.security.role.change |
chsp | All | vios.device.manage.spool.change |
chtcpip | All | vios.network.tcpip.change |
chuser | All | vios.security.user.change |
chvg | All | vios.lvm.manage.change |
chvlog | All | vios.device.manage.vlog.change |
chvlrepo | All | vios.device.manage.vlrepo.change |
chvopt | All | vios.device.manage.optical.change |
cl_snmp | All | vios.security.manage.snmp.query |
cleandisk | All | vios.system.cluster.change |
cluster | All | vios.system.cluster.create |
cplv | All | vios.lvm.manage.copy |
cpvdi | All | vios.lvm.manage.copy |
deactivatevg | All | vios.lvm.manage.varyoff |
diagmenu | All | vios.system.diagnostics |
dsmc | All | vios.system.manage.tsm |
entstat | All | vios.network.stat.ent |
errlog | -rm | vios.system.log |
Others | vios.system.log.view | |
exportvg | All | vios.lvm.manage.export |
extendlv | All | vios.lvm.manage.extend |
extendvg | All | vios.lvm.manage.extend |
fcstat | All | vios.network.stat.fc |
fsck | All | vios.fs.check |
hostmap | All | vios.system.config.address |
hostname | All | vios.system.config.hostname |
importvg | All | vios.lvm.manage.import |
invscout | All | vios.system.firmware.scout |
ioslevel | All | vios.system.level |
ldapadd | All | vios.security.manage.ldap.add |
ldapsearch | All | vios.security.manage.ldap.search |
ldfware | All | vios.system.firmware.load |
license | -accept | vios.system.license |
Others | vios.system.license.view | |
loadopt | All | vios.device.manage.optical.load |
loginmsg | All | vios.security.user.login.msg |
lsauth | All | vios.security.auth.list |
lsdev | All | vios.device.manage.list |
lsfailedlogin | All | vios.security.user.login.fail |
lsfware | All | vios.system.firmware.list |
lsgcl | All | vios.security.log.list |
lslparinfo | All | vios.system.lpar.list |
lslv | All | vios.lvm.manage.list |
lsmap | All | vios.device.manage.map.phyvirt |
lsnetsvc | All | vios.network.service.list |
lsnports | All | vios.device.manage.list |
lspath | All | vios.device.manage.list |
lspv | All | vios.device.manage.list |
lsrep | All | vios.device.manage.repos.list |
lsrole | All | vios.security.role.list |
lssecattr | -c | vios.security.cmd.list |
-d | vios.security.device.list | |
-f | vios.security.file.list | |
-p | vios.security.proc.list | |
lssp | All | vios.device.manage.spool.list |
lssvc | All | vios.system.config.agent.list |
lssw | All | vios.system.software.list |
lstcpip | All | vios.network.tcpip.list |
lsuser | All | vios.security.user.list Note: Any user can run
this command to view a minimal set of user attributes. However, only
users with this authorization can view all the user attributes.
|
lsvg | All | vios.lvm.manage.list |
lsvlog | All | vios.device.manage.vlog.list |
lsvlrepo | All | vios.device.manage.vlrepo.list |
lsvopt | All | vios.device.manage.optical.list |
vios.device.manage.backing.create or vios.system.cluster.lu.create | ||
vios.device.manage.backing.create or vios.system.cluster.lu.create or vios.system.cluster.lu.map | ||
vios.device.manage.backing.remove or vios.system.cluster.lu.remove | ||
vios.device.manage.remove or vios.system.cluster.lu.unmap | ||
migratepv | All | vios.device.manage.migrate |
mirrorios | All | vios.lvm.manage.mirrorios.create |
mkauth | All | vios.security.auth.create |
mkbdsp | All | vios.device.manage.backing.create |
mkkrb5clnt | All | vios.security.manage.kerberos.create |
mkldap | All | vios.security.manage.ldap.create |
mklv | All | vios.lvm.manage.create |
mklvcopy | All | vios.lvm.manage.mirror.create |
mkpath | All | vios.device.manage.path.create |
mkrep | All | vios.device.manage.repos.create |
mkrole | All | vios.security.role.create |
mksp | All | vios.device.manage.spool.create |
mktcpip | All | vios.network.tcpip.config |
mkuser | All | vios.security.user.create |
mkvdev | -fbo | vios.device.manage.create.virtualdisk |
-lnagg | vios.device.manage.create.lnagg | |
-sea | vios.device.manage.create.sea | |
-vdev | vios.device.manage.create.virtualdisk | |
-vlan | vios.device.manage.create.vlan | |
mkvg | All | vios.lvm.manage.create |
mkvlog | All | vios.device.manage.vlog.create |
mkvopt | All | vios.device.manage.optical.create |
motd | All | vios.security.user.msg |
mount | All | vios.fs.mount |
netstat | All | vios.network.tcpip.list |
optimizenet | All | vios.network.config.tune |
oem_platform_level | All | vios.system.level |
oem_setup_env | All | vios.oemsetupenv |
passwd | All | vios.security.passwd Note: A user can change
the password without having this authorization. This authorization
is required only if the user wants to change the password of other
users.
|
mkvg | All | vios.lvm.manage.create |
mkvlog | All | vios.device.manage.vlog.create |
mkvopt | All | vios.device.manage.optical.create |
motd | All | vios.security.user.msg |
mount | All | vios.fs.mount |
netstat | All | vios.network.tcpip.list |
optimizenet | All | vios.network.config.tune |
oem_platform_level | All | vios.system.level |
oem_setup_env | All | vios.oemsetupenv |
passwd | All | vios.security.passwd Note: A user can change
the password without having this authorization. This authorization
is required only if the user wants to change the password of other
users.
|
pdump | All | vios.system.dump.platform |
ping | All | vios.network.ping |
postprocesssvc | All | vios.system.config.agent |
prepdev | All | vios.device.config.prepare |
pv | , , | vios.device.manage.spool.change or vios.system.cluster.pool.modify |
redefvg | All | vios.lvm.manage.reorg |
reducevg | All | vios.lvm.manage.change |
refreshvlan | All | vios.network.config.refvlan |
remote_management | All | vios.system.manage.remote |
replphyvol | All | vios.device.manage.replace |
restore | All | vios.fs.backup |
restorevgstruct | All | vios.lvm.manage.restore |
rmauth | All | vios.security.auth.remove |
rmbdsp | All | vios.device.manage.backing.remove |
rmdev | All | vios.device.manage.remove |
rmlv | All | vios.lvm.manage.remove |
rmlvcopy | All | vios.lvm.manage.mirror.remove |
rmpath | All | vios.device.manage.path.remove |
rmrep | All | vios.device.manage.repos.remove |
rmrole | All | vios.security.role.remove |
rmsecattr | -c | vios.security.cmd.remove |
-d | vios.security.device.remove | |
-f | vios.security.file.remove | |
rmsp | All | vios.device.manage.spool.remove |
rmtcpip | All | vios.network.tcpip.remove |
rmuser | All | vios.security.user.remove |
rmvdev | All | vios.device.manage.remove |
rmvlog | All | vios.device.manage.vlog.remove |
rmvopt | All | vios.device.manage.optical.remove |
rolelist | -p | vios.security.proc.role.list Note: You can run
other options of this command without having any authorizations.
|
-u | vios.security.role.list | |
savevgstruct | All | vios.lvm.manage.save |
save_base | All | vios.device.manage.saveinfo |
seastat | All | vios.network.stat.sea |
setkst | All | vios.security.kst.set |
setsecattr | -c | vios.security.cmd.set |
-d | vios.security.device.set | |
-f | vios.security.file.set | |
-o | vios.security.domain.set | |
-p | vios.security.proc.set | |
showmount | All | vios.fs.mount.show |
shutdown | All | vios.system.boot.shutdown |
snap | All | vios.system.trace.format |
snapshot | All | vios.device.manage.backing.create |
snmp_info | All | vios.security.manage.snmp.info |
snmpv3_ssw | All | vios.security.manage.snmp.switch |
snmp_trap | All | vios.security.manage.snmp.trap |
startnetsvc | All | vios.network.service.start |
startsvc | All | vios.system.config.agent.start |
startsysdump | All | vios.system.dump |
starttrace | All | vios.system.trace.start |
stopnetsvc | All | vios.network.service.stop |
stopsvc | All | vios.system.config.agent.stop |
stoptrace | All | vios.system.trace.stop |
svmon | All | vios.system.stat.memory |
syncvg | All | vios.lvm.manage.sync |
sysstat | All | vios.system.stat.list |
topas | All | vios.system.config.topas |
topasrec | All | vios.system.config.topasrec |
tracepriv | All | vios.security.priv.trace |
traceroute | All | vios.network.route.trace |
uname | All | vios.system.uname |
unloadopt | All | vios.device.manage.optical.unload |
unmirrorios | All | vios.lvm.manage.mirrorios.remove |
unmount | All | vios.fs.unmount |
updateios | All | vios.install |
vasistat | All | vios.network.stat.vasi |
vfcmap | All | vios.device.manage.map.virt |
viosbr | -view | vios.system.backup.cfg.view |
Others | vios.system.backup.cfg Note: To run any other
options of this command, this authorization is required.
|
|
viosecure | All | vios.security.manage.firewall |
viostat | All | vios.system.stat.io |
vmstat | All | vios.system.stat.memory |
wkldagent | All | vios.system.manage.workload.agent |
wkldmgr | All | vios.system.manage.workload.manager |
wkldout | All | vios.system.manage.workload.process |
Roles
The Virtual I/O Server retains its current roles and will have the appropriate authorizations assigned to the roles. Additional roles that closely emulate the roles in the AIX operating system can be created. The roles emulate naming conventions and descriptions, but are only applicable to the Virtual I/O Server specific requirements. Users cannot view, use, or modify any of the default roles in the AIX operating system.
The following roles are the default roles in the AIX operating system. These roles are unavailable to the Virtual I/O Server users, and are not displayed.
- AccountAdmin
- BackupRestore
- DomainAdmin
- FSAdmin
- SecPolicy
- SysBoot
- SysConfig
- isso
- sa
- so
The following roles are the default roles in the Virtual I/O Server:
- Admin
- DEUser
- PAdmin
- RunDiagnostics
- SRUser
- SYSAdm
- ViewOnly
The mkrole command creates a role. The newrole parameter must be a unique role name. You cannot use the ALL or default keywords as the role name. Every role must have a unique role ID that is used for security decisions. If you do not specify the id attribute when you create a role, the mkrole command automatically assigns a unique ID to the role.
The role parameter cannot contain spaces, tabs, or newline characters. To prevent inconsistencies, restrict role names to characters in the POSIX portable file name character set. You cannot use the keywords ALL or default as a role name. Do not use the following characters within a role-name string:
- : (colon)
- " (quotation mark)
- # (number sign)
- , (comma)
- = (equal sign)
- \ (backslash)
- / (forward slash)
- ? (question mark)
- ' (single quotation mark)
- ` (grave accent)
Privileges
A Privilege is an attribute of a process through which the process can bypass specific restrictions and limitations of the system. Privileges are associated with a process and are acquired by running a privileged command. Privileges are defined as bit-masks in the operating system kernel and enforce access control over privileged operations. For example, the privilege bit PV_KER_TIME might control the kernel operation to modify the system date and time. Nearly 80 privileges are included with the operating system and provide granular control over privileged operations. You can acquire the least privilege required to perform an operation through division of privileged operations in the kernel. This feature leads to enhanced security because a process hacker can only get access to one or two privileges in the system, and not to root user privileges.
Authorizations and roles are a user-level tool to configure user access to privileged operations. Privileges are the restriction mechanism used in the operating system kernel to determine if a process has authorization to perform an action. Hence, if a user is in a role session that has an authorization to run a command, and that command is run, a set of privileges are assigned to the process. There is no direct mapping of authorizations and roles to privileges. Access to several commands can be provided through an authorization. Each of those commands can be granted a different set of privileges.
The following table lists the commands related to role-based access control (RBAC).
Command | Description |
---|---|
chauth | Modifies attributes of the authorization that is identified by the newauth parameter |
chrole | Changes attributes of the role identified by the role parameter |
lsauth | Displays attributes of user-defined and system-defined authorizations from the authorization database |
lsrole | Displays the role attributes |
lssecattr | Lists the security attributes of one or more commands, devices, or processes |
mkauth | Creates new user-defined authorizations in the authorization database |
mkrole | Creates new roles |
rmauth | Removes the user-defined authorization identified by the auth parameter |
rmrole | Removes the role identified by the role parameter from the roles database |
rmsecattr | Removes the security attributes for a command, a device, or a file entry that is identified by the Name parameter from the appropriate database |
rolelist | Provides role and authorization information to the caller about the roles assigned to them |
setkst | Reads the security databases and loads the information from the databases into the kernel security tables |
setsecattr | Sets the security attributes of the command, device, or process that are specified by the Name parameter |
swrole | Creates a role session with the roles that are specified by the Role parameter |
tracepriv | Records the privileges that a command attempts to use when the command is run |