Roles

Roles are the entities that tie all the other entities together to define a role.

CREATE TABLE role (
	id INTEGER PRIMARY,
	name TEXT UNIQUE,
	rorder INTEGER, -- rule order for matching
	description TEXT,
	disabled INTEGER CHECK(disabled BETWEEN 0 AND 1), -- 0=enabled, 1=disabled
	risk INTEGER CHECK(risk >= 0),
	action CHAR(1) CHECK (action IN ('A','R')), -- A=Accept, R=Reject
	iolog TEXT, -- iolog template
	script TEXT -- pbparse script
	tag TEXT DEFAULT NULL -- Arbitrary tag that will allow grouping of roles
	comment TEXT DEFAULT NULL -- Arbitrary comment field that can contain anything
	message TEXT DEFAULT NULL -- Accept/reject message (templated)
	variables TEXT DEFAULT NULL -- Contains JSON formatted Policy Script variables to set (templated)
	varmatch TEXT DEFAULT NULL -- Contains JSON formatted Policy Script variables to match
	auth TEXT DEFAULT NULL -- Contains JSON formatted array of authentication methods (templated)
	rpt INTEGER DEFAULT 1 -- 1=on, 0=off, include Role in Entitlement Report
);
CREATE TABLE roleusers (
	id INTEGER REFERENCES role(id),
	users INTEGER REFERENCES usergrp(id),
	type CHAR(1) CHECK (type IN ('S','R')), -- S=Submit, R=Run User
	PRIMARY KEY (id,users,type)
);
CREATE TABLE rolehosts (
	id INTEGER REFERENCES role(id),
	hosts INTEGER REFERENCES hostgrp(id),
	type CHAR(1) CHECK (type IN ('S','R')), -- S=Submit, R=Run User
	PRIMARY KEY (id,hosts,type)
);
CREATE TABLE rolecmds (
	id INTEGER REFERENCES role(id),
	cmds INTEGER REFERENCES cmdgrp(id),
	PRIMARY KEY (id,cmds)
);
CREATE TABLE roletmdates (
	id INTEGER REFERENCES role(id),
	tmdates INTEGER REFERENCES tmdategrp(id),
	PRIMARY KEY (id,tmdates)
);

Each role has multiple users, hosts, commands and time/dates. When the Policy Engine matches against roles, complete records are selected from the database as fully populated roles, sorted by the role attribute rorder. Once the first record has been matched, the attributes of the role are applied to the session, and the Policy Engine accepts or rejects the session. The iolog template is the normal script format log file, for example /var/log/io_ log.XXXXXX. The script is a full Privilege Management for Unix and Linux script that is called if the role has been accepted. This script can carry out extra processing to authorize the session (and can therefore override the accept/reject status with an implicit command), and can carry out extended environment configuration as would normal Privilege Management for Unix and Linux script.

A diagram demonstrating that each Role has multiple Users, Hosts, Commands and Time/Dates.