User Attribute Databases

The user information is held in the following databases:

• user_attr(4)--The /etc/user_attr file contains extended user attributes, using a keyword=value format.

• auth_attr(4)--The /etc/security/auth_attr file contains the definitions of authorizations, which can be included in rights profiles.

• prof_attr(4)--The /etc/security/prof_attr file contains the name, description, authorizations, subordinate rights profiles, and help files for rights profiles.

• exec_attr(4)--The /etc/security/exec_attr file contains commands and actions with security attributes assigned to rights profiles.

These databases can be edited manually, although this practice is not generally recommended.

The following figure shows how the databases work together to provide user attributes.

Figure 2-5 User Database Relationships

The user_attr database contains the attributes shown, including a comma-separated list of profile names. The contents of the profiles are split between the prof_attr file, which contains profile identification information, authorizations assigned to the profile, and subordinate profiles, and the exec_attr file, which contains commands and actions with their associated security attributes. The auth_attr file supplies available authorizations to the prof_attr file and the policy.conf file. (Note that although you can assign authorizations directly to users through user_attr, this practice is discouraged.) The policy.conf file supplies default attributes to be applied to all users. The label_encodings file supplies label defaults if they are not otherwise specified.