rbac_chkauth Subroutine

Purpose

Perform a role-based access control (RBAC) authorization check.

Library

Security library (libc.a)

Syntax

#include <unistd.h>
int rbac_chkauth(username, authname, objname)
const char*username;
const char*authname;
const char*objnam;

Description

The rbac_chkauth function determines whether the specified username parameter has the authorization indicated by the authname parameter. The authname parameter represents a hierarchical naming structure in a string format for an authorization name. Only one authorization can be specified to describe the authorization hierarchy. If the username parameter is a null pointer or represents the same as a real user name of the calling process, and the specified authorization exists in the active role set of the process, the subroutine returns the value of 1. If the username parameter does not belong to the calling process, the subroutine checks the authorization in the user database. The objname parameter is not used in the subroutine.

You can use rbac_chkauth subroutine in the Enhanced (RBAC) mode only.

Parameters

username: Specifies the name of the user or a null pointer to use an real user ID of the calling process.
authname: Specifies the name of the authorization to be checked.
objname: Currently not used.

Return Values

The rbac_chkauth subroutine returns a 1 to indicate that the user has the specified authorization, or returns a 0 to indicate that the user does not have the specified authorization.

When the command fails, a value of -1 is returned and the errno value is set to indicate the error.

Error Codes

If the rbac_chkauth subroutine returns -1, one of the following errno values can be set:

Item	Description
EINVAL	The specified `username` parameter is invalid or `authname` parameter is a null pointer.
EPERM	The calling process does not have appropriate authority to verify the `authname` parameter for a user when the `username` parameter is a non-null pointer.

Example

The following example demonstrates how this subroutine is used:

#include <studio.h>
#include <errno.h>
#include <unistd.h>
#define SYSTEM_BOOT "aix.system.boot.reboot"

int boot_authcheck(void)
{
/*Verify whether this user (invoker) can perform system boot operation or not*/
switch (rbac_chkauth(NULL,SYSTEM_BOOT,NULL)) {
   case -1:
     perror("rbac_chkauth");
     return(0)
   case 0;
     fprint(stderr,"user is not authorized to perform system boot operation");
 }
 return(1);
}