Contains the list of valid roles. This system file only applies to AIX Versions 4.2.1 and later.
The /etc/security/roles file contains the list of valid roles. This is an ASCII file that contains a stanza for each system role. Each stanza is identified by a role name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a newline character as does each stanza.
The file supports a default stanza. If an attribute is not defined, the default value for the attribute is used.
A stanza contains the following attributes:
| rolelist | Contains a list of roles implied by this role and allows a role to function as a super-role. If the rolelist attribute contains the value of "role1,role2", assigning the role to a user also assigns the roles of role1 and role2 to that user. |
| authorizations | Contains the list of additional authorizations acquired by the user for this specific role. |
| groups | Contains the list of groups that a user should belong to in order to effectively use this role. The user must be added to each group in this list for this role to be effective. |
| screens | Contains a list of SMIT screen identifiers that allow a role to be mapped to various SMIT screens. The default value for this attribute is * (all screens). |
| msgcat | Contains the file name of the message catalog that contains the one-line descriptions of system roles. |
| msgnum | Contains the message ID that retrieves this role description from the message catalog. |
| For a typical stanza, see the "Examples" stanza. | |
You should access this file through the commands and subroutines defined for this purpose. You can use the following commands to change the roles file:
The mkrole command creates an entry for each new role in the /etc/security/roles file. To change the attribute values, use the chrole command. To display the attributes and their values, use the lsrole command. To remove a role, use the rmrole command.
To write programs that affect attributes in the /etc/security/roles file, use the subroutines listed in Related Information.
Access Control: This file grants read and write access to the root user, and read access to members of the security group.
A typical stanza looks like the following example for the ManageAllUsers role:
ManageAllUsers:
rolelist = ManageBasicUsers authorizations = UserAdmin,RoleAdmin,PasswdAdmin,GroupAdmin groups = security screens = mkuser,rmuser,!tcpip
This file is part of the Base Operating System (BOS) Runtime.
The chrole command, lsrole command, mkrole command, rmrole command.
The getroleattr subroutine, nextrole subroutine, putroleattr subroutine, setroledb subroutine, endroledb subroutine.