Roles are the entities that tie all the other entities together to define a role.
CREATE TABLE role ( id INTEGER PRIMARY, name TEXT UNIQUE, rorder INTEGER, -- rule order for matching description TEXT, disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled risk INTEGER CHECK(risk >= 0), action CHAR(1) CHECK (action IN ('A','R')), -- A=Accept, R=Reject iolog TEXT, -- iolog template script TEXT -- pbparse script tag TEXT DEFAULT NULL -- Arbitrary tag that will allow grouping of roles comment TEXT DEFAULT NULL -- Arbitrary comment field that can contain anything message TEXT DEFAULT NULL -- Accept/reject message (templated) variables TEXT DEFAULT NULL -- Contains JSON formatted Policy Script variables to set (templated) varmatch TEXT DEFAULT NULL -- Contains JSON formatted Policy Script variables to match auth TEXT DEFAULT NULL -- Contains JSON formatted array of authentication methods (templated) rpt INTEGER DEFAULT 1 -- 1=on, 0=off, include Role in Entitlement Report ); CREATE TABLE roleusers ( id INTEGER REFERENCES role(id), users INTEGER REFERENCES usergrp(id), type CHAR(1) CHECK (type IN ('S','R')), -- S=Submit, R=Run User PRIMARY KEY (id,users,type) ); CREATE TABLE rolehosts ( id INTEGER REFERENCES role(id), hosts INTEGER REFERENCES hostgrp(id), type CHAR(1) CHECK (type IN ('S','R')), -- S=Submit, R=Run User PRIMARY KEY (id,hosts,type) ); CREATE TABLE rolecmds ( id INTEGER REFERENCES role(id), cmds INTEGER REFERENCES cmdgrp(id), PRIMARY KEY (id,cmds) ); CREATE TABLE roletmdates ( id INTEGER REFERENCES role(id), tmdates INTEGER REFERENCES tmdategrp(id), PRIMARY KEY (id,tmdates) );
Each role has multiple users, hosts, commands and time/dates. When the Policy Engine matches against roles, complete records are selected from the database as fully populated roles, sorted by the role attribute rorder. Once the first record has been matched, the attributes of the role are applied to the session, and the Policy Engine accepts or rejects the session. The iolog template is the normal script format log file, for example /var/log/io_ log.XXXXXX. The script is a full Privilege Management for Unix and Linux script that is called if the role has been accepted. This script can carry out extra processing to authorize the session (and can therefore override the accept/reject status with an implicit command), and can carry out extended environment configuration as would normal Privilege Management for Unix and Linux script.