Role Based Policy Options

The Role Based Policy is held in multiple tables. Each table refers to an individual entity with attributes, and is referenced by unique entity ids. Each entity is then linked together into a role. When retrieving, updating, or deleting entities, either the name or id can be used. The command line utility pbdbutil with the option --rbp can be used to retrieve (-g), update (-u), or delete (-d) entities. When updating, complete entities including all its attributes need to be defined. The REST API uses the same JSON format and parameters, and use GET, PUT and DELETE respectively. There are also a number pseudo-attributes that allow the retrieval of lists based upon the parent grouping, these are:

  • usergrpname: list User Lists which correspond to the specified User Group
  • hostgrpname: list Host Lists which correspond to the specified Host Group
  • cmdgrpname: list Command Lists which correspond to the specified Command Group
  • tmdategrpname: list Time/Date Lists which correspond to the specified Time/Date Group
  • rolename: list all lists which correspond to the specified Role Group
pbdbutil --rbp [<options>] [ <file> <file> ...]
-b  -m <msg> Begin Role Based Policy change transaction
-c Commit Role Based Policy change transaction
-r Rollback Role Based Policy change transaction
    --force -m <msg> Force Rollback of other users change transaction
-i <file> Import Role Based Policy file in the database
-e -o <outfile> Export Role Based Policy from database and output to file
    -V <ver> Used with export, but export specified version
-g { json param } Get Role Based Policy database records
-u { json param } Update Role Based Policy database records
    -m <msg> Specify message - required when change management enabled.
-d { json param } Delete Role Based Policy database records
    --force Force deletion of dependent records in the database
    -m <msg> Specify message - required when change management enabled.
-n Create new Role Based Policy database
-R { json param } Report user entitlements from the database
    -R Add option to display commands
       -R Add option to display time/date restrictions
         -R Add option to display additional role options
-E { json param }

List user entitlements data from the database

where { json param } is one or more of:

     "submituser" : "user1" Specify submit user or wildcard

     "submithost" : "host1" Specify submit host or wildcard

     "runuser" : "user1" Specify run user or wildcard

     "runhost" : "host1" Specify run host or wildcard

     "command" : "command" Specify command or wildcard

-L List all Role Based Policy policies in the database
    -t <tag> Limit list by tag wildcard
-l List all Role Based Policy versions in the database

 

List all of the User Groups whose name matches ug*
pbdbutil --rbp -g '{ "usergrp" : { "name" : "ug*" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]
List the User Group whose id=1
pbdbutil -g '{ "usergrp" : { "id" : "1" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]
  • usergrp
  • userlist
  • hostgrp
  • hostlist
  • cmdgrp
  • cmdlist
  • tmdategrp
  • tmdatelist
  • role
  • roleusers
  • roleghost
  • rolecmds
  • roletmdates

Entities can be listed by attributes name and id, and entity specific attribute names rolename, usergrpname, hostgrpname, cmdgrpname, tmdategrpname.

-g '{ "role" : { "name" : "*" }} ' Display all Roles
-g '{ "usergrp" : { "name" : "n*" }}' Display all User Groups which match "n*"
-g '{ "userlist" : { "name" : "usergrp1" }} ' Display group membership for usergrp by name
-g '{ "roleusers" : { "rolename" : "role1" }}' Display list of usergrps assigned to role
-g '{ "rolehosts" : { "id" : 1 }} ' Display list of hostgrps assigned to role id 1
-b [-m <msg> ]

This option is mandatory if the Role Based Policy transactions are enabled.

Before any changes can be made the administrator must begin the transaction with a suitable Change Management message. This transaction is then kept open until the same user commits or rolls back the transaction. The transaction is not visible by the live authorization process until it is committed.

Available if the Role Based Policy Transactions are enabled.

-c Commit the current open transaction making it live.
-r [   --force -m <msg> ]

Rollback the current open transaction, discarding any changes that have been made.

Available if the Role Based Policy Transactions are enabled.

-i <file> Import Role Based Policy file in the database.
-e -o <outfile> [-V <ver>] Export Role Based Policy from database and output to file.
-g { json param } Retrieve and display attributes of the entities within the Role Based Policy database.
-u { json param } Update entities and attributes within the Role Based Policy database.
-d { json param }

Delete entities within the Role Based Policy database.

-n Create a new Role Based Policy database, as specified by the policydb keyword in the Privilege Management/etc/pb.settings configuration file.
-R { json param } Report user entitlements from the database.
  -R Add option to display commands.
    -R Add option to display time/date restrictions.
      -R Add option to display additional role options.
-E { json param }

List user entitlements data from the database where { json param } is one or more of:

 "submituser" : "user1" Specify submit user or wildcard

 "submithost" : "host1" Specify submit host or wildcard

 "runuser" : "user1" Specify run user or wildcard

 "runhost" : "host1" Specify run host or wildcard

 "command" : "command" Specify command or wildcard

-L List all Role Based Policy policies in the database
-l List all Role Based Policy versions in the database

 

Retrieve list of User Groups that match ug*
-g '{ "usergrp" : { "name" : "ug*" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","extinf o":null}]
Retrieve list of Users in the User Group ug1
-g '{ "userlist" : { "usergrpname" : "ug1" }}' [{"id":1,"user":"root"},{"id":1,"user":"adm*"}]
Update User Group ug1 with new attributes
-u '{ "usergrp" : { "id":1,"name":"ug1","description":"new
description","disabled":0,"single":0,"type":"I","extinfo":null}}'
Add new user to User Group ug1
-u '{ "userlist" : { "usergrpname":"ug1","user":"wheel"}}'
To delete all users from User Group ug1
-d '{ "userlist" : { "usergrpname":"ug1"}}'
To delete specified user from User Group ug1
-d '{ "userlist" : { "usergrpname":"ug1", "user" : "user1"}}'
Retrieve list of Host Groups that match hg*
-g '{ "hostgrp" : { "name" : "hg*" }}'
[{"id":1,"hg1":"name","description":"desc","disabled":0,"type":"I","extinf o":null}]
Retrieve list of Hosts in the Host Group hg1
-g '{ "hostlist" : { "hostgrpname" : "hg1" }}' [{"id":1,"host":"host2"},{"id":1,"host":"*.dev.com"}]
Update Host Group hg1 with new attributes
-u '{ "hostgrp" : { "id":1,"name":"hg1","description":"new
description","disabled":0,"type":"I","extinfo":null}}'
Add new host to Host Group hg1
-u '{ "hostlist" : { "hostgrpname":"hg1","host":"host5"}}'
To delete all hosts from Host Group hg1
-d '{ "hostlist" : { "hostgrpname":"hg1"}}'
To delete specified host from Host Group hg1
-d '{ "hostlist" : { "hostgrpname":"hg1", "host" : "host1"}}'
Retrieve list of Command Groups that match cg*
-g '{ "cmdgrp" : { "name" : "cg*" }}'
[{"id":1,"cg1":"name","description":"desc","disabled":0}
]
Retrieve list of Commands in the Command Group cg1
-g '{ "cmdlist" : { "cmdgrpname" : "cg1" }}'
[{"id":1,"cmd":"rm *","rewrite":"echo $*"},{"id":1,"cmd":"/usr/bin/rm
*","rewrite":"echo $*"}]
Update Command Group cg1 with new attributes
-u '{ "cmdgrp" : { "id":1,"name":"cg1","description":"new description","disabled":0}}'
Add new command to Command Group cg1
-u '{ "cmdlist" : { "cmdgrpname":"cg1","cmd":"/bin/rm *","rewrite":"echo
$*"}}'
To delete all commands from Command Group cg1
-d '{ "cmdlist" : { "cmdgrpname":"cg1"}}'
To delete specified cmd from Command Group cg1
-d '{ "cmdlist" : { "cmdgrpname":"cg1", "cmd" : "rm *"}}'
Retrieve list of Time/Date Groups that match td*
-g '{ "tmdategrp" : { "name" : "td*" }}'
[{"id":1,"td1":"name","description":"desc","disabled":0}
]
Retrieve list of Time/Dates in the Time/Date Group td1
-g '{ "tmdatelist" : { "tmdategrpname" : "td1" }}'
	[{"id":1,"tmdate" : "{
	\"mon\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
	\"tue\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
	\"wed\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
	\"thu\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
	\"fri\" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
	\"sat\" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
	\"sun\" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] }"}]
Update Time/Date Group td1 with new attributes
-u '{ "tmdategrp" : {
	"id":1,"name":"td1","description":"new description","disabled":0}}'
Add new time/date to Time/Date Group td1
-u '{ "tmdatelist" : { "tmdategrpname":"td1","tmdate":"{ \"range\" : {
	\"from\" : 1415851283, \"to\": 1415887283 }}"}}'
To delete all times/dates from Time/Date Group td1
-d '{ "tmdatelist" : { "tmdategrpname":"td1"}}'
To delete specified cmd from Time/Date Group td1
-d '{ "tmdatelist" : { "tmdategrpname":"td1", "tmdate" : "{ \"range\" : {
	\"from\" : 1415851283, \"to\": 1415887283 }}"}}'
Retrieve list of Roles that match Role*
-g '{ "role" : { "name" : "Role*" }}'
	[{"id" : 0, "name" : "Role5", "rorder" : 3, "description" : "Desc3",
	"disabled" : 0, "risk" : 1, "action" : "A", "iolog" : "/tmp/iolog_XXXXXX",
	"script" : "accept;"}, {"id" : 1, "name" : "Role6", "rorder" : 2,
	"description" : "Desc3", "disabled" : 0, "risk" : 1, "action" : "A",
	"iolog" : "/tmp/iolog_XXXXXX", "script" : null}, {"id" : 2, "name" :
	"Role7", "rorder" : 1, "description" : "Desc3", "disabled" : 0, "risk" : 1,
	"action" : "A", "iolog" : "/tmp/iolog_XXXXXX", "script" : null}]
Retrieve list of User Groups listed in the role Role6
-g '{ "roleusers" : { "name" : "Role6" }}'
	[{"id":1,"users":1,"type":"R"},{"id":1,"users":1,"type":"S"}]
Update role Role5 with new attributes
-u '{ "role" :
{"id":0,"name":"Role5","rorder":3,"description":"Description
4","disabled":0,"risk":1,"action":"A","iolog":"/tmp

/iolog_XXXXXX","script":"accept;"},    {"id":1,"name":"Role6","rorder":2,"description":"Desc3","disabled":0,"risk":1,"action":"A","iolog":"/tm

p/iolog_XXXXXX","script":null},
	{"id":2,"name":"Role7","rorder":1,"description":"Desc3","disabled":0,"risk":1,"action":"A","iolog":"/tmp/io

log_XXXXXX","script":null}'
Add new Submit Host, hostgrp2, to role Role5
-u { "rolehosts" : { "name" : "Role5", "hostgrpname" : "hostgrp2" , "type"
		: "S"}}'
To delete all User Groups from role Role5
-d '{ "roleusers" : { "name":"Role5"}}'
To delete specified User Group from role Role5
-d '{ "roleusers" : { "name" : "Role5", "usergrpname":"ug1"}}'
To delete all User Groups from role Role5
-d '{ "roleusers" : { "name":"Role5"}}'
To delete specified User Group from role Role5
-d '{ "roleusers" : { "name" : "Role5", "usergrpname":"ug1"}}'

For more information on the -b [-m <msg> ] setting in the Privilege Management/etc/pb.settings configuration file, please see Role Based Policy.