------------------------------
Allwyn Menezes
------------------------------

#AIXOpenSource

Hello Allwyn Menezes,

I would like to help you, but I read you don't like to implement rbac for this? 

most of those commands however are already in a default rbac standard roles such as: sa, so, FSAdmin 

and building your custum role for this is rather easy, because you can re-use the standard AIX authorisations.

just take a look in the rbac (text based) database /etc/security/privcmds and for example look for the shutdown command: /usr/sbin/shutdown

than you find the authorisation: aix.system.boot.shutdown with that autorisation you can make a new role with this authorisation, and so on.

Just let me know if you need help with this, in case you reconcider using AIX advanced RBAC.

Greetings Christian Sonnemans.

------------------------------
Christian Sonnemans
Tactical Unix system engineer
AsnBank
Den Bosch
------------------------------

Original Message:
Sent: Thu August 14, 2025 02:48 AM
From: Allwyn Menezes
Subject: Sudo policy in AIX to restrict commands - no RBAC

We want to implement sudo policy to restrict some commands to osadmin user.

How to add in sudo policy,If I want to restrict any command which starts from below aix commands 

chdev
chinet
umount
hostname
rmlv
migratepv
cplv
rmfs
mmshutdown
mmunmount
mmchfs
mmchconfig
mmchcluster
mmdelnode
shutdown 

We got below soulution.but we dont want to implement RBAC , we have to do it via sudo policy.

Perhaps a better way would be to use the native AIX mechanism, RBAC: RBAC roles - IBM Documentation
You can assign predefined roles to users (Predefined roles - IBM Documentation) or create your own roles (mkrole) and allow users to execute only specified tasks.

------------------------------
Allwyn Menezes
------------------------------

#AIXOpenSource