Remote RBAC database support

Edit online

In an enterprise environment, it is desirable to be able to implement and enforce a common security policy across all systems in the environment. If the databases that control the policy are stored independently on each system, management of the security policy becomes a burden for the designated system administrator. AIX® enhanced RBAC mode allows the RBAC databases to be stored in LDAP so that the security policy for all systems in the environment can be centrally managed.

Support has been added in AIX for all of the RBAC-relevant databases to be stored in LDAP. The following are the relevant RBAC databases:
  • Authorization database
  • Role database
  • Privileged command database
  • Privileged device database
  • Privileged file database
Note: The authorization database stored in LDAP contains only the user-defined authorizations. System-defined authorizations cannot be stored in LDAP and remain local to each client system.

AIX provides utilities to easily export local RBAC data to LDAP, to configure the client to use RBAC data in LDAP, to control the lookup of RBAC data, and to manage the LDAP data from a client system. The following sections provide more information on the LDAP features that are provided in enhanced RBAC.