Hi again,
first, "rbac" doesn't seem to exist. Where did you get that information from? At least it's not a command.
authexec - is used to run a command under RBAC control in a special way.
The command must be in privcmds with "authroles = <some role>".
This is kind of a "four eyes" thing - one user invokes authexec, and a second user being authorized for a required role authenticates - then the command is run. "Four eyes" - because the invoking user and the authenticating user must be different!
authqry - this is a command I've not been aware of up to now!
It is used to configure auditing for a particular user in regard to authorization usage (remember our cases dealing with AUDIT and RBAC?)
With the "-c" flag authqury adds the specified userid (enabled for class "rbacqury") to audit/config and adds the class rbacqury ("PROC_SetRoles,PROC_ChkAuth,SEC_ChkAuth") as well, if it's not already present.
With "-q" usage of authorizations of the specified user is queried and listed. ("-t" specifies number of days to report.)
Additionally, "-s" starts or restarts the audit subsystem.
authrpt - reports on authorizations: depending on the flags "-c, -f, -u, -r" a report on commands, files, users or roles is generated for the specified authorization. Without flags a report on all of the above is generated.
Example:
> authrpt aix.system.config.cron
authorization:
aix.system.config.cron
commands:
/usr/bin/atrm
/usr/bin/cronadm
/usr/sbin/cron
files:
/etc/cronlog.conf
/var/adm/cron/at.allow
/var/adm/cron/at.deny
roles:
sa
users:
user1
user2
Good question, by the way!
wmp
