AIX Enhanced Role Based Access Control


One of the critical components to achieving a successful Defense in Depth strategy is to reduce unnecessary administrative privileges.  Time and time again, breaches have shown that one of the hacker’s top priorities is gaining administrative access that will allow him to compromise the environment he is attacking.  In SANS’s case study of the 2013 Target Breach they indicated the breach could have been prevented if proper access control was utilized:

‘Limited administrative privileges may have prevented inserting software to get into the deployment process used to infect the POS systems with malware.’

In AIX 6 and above, IBM has provided a powerful access control solution that can help your organization significantly reduce your organization’s security risk.

Domain RBAC is an extension of Enhanced RBAC that provides additional access control options that can provide a greater depth and sophistication to your access control security layer.


  1. Freely licensed and supported under your AIX Software Maintenance Agreement
  2. Allow users to access files or commands that normally require root access
  3. Define roles that limit users’ access to only the commands or files needed by the administrator
  4. Provide additional access controls to files, devices, network interfaces, and network ports via Domain RBAC
  5. Implement separation of duties functionality not possible with Sudo
  6. Reduce security risk by using the native kernel-based access control solution, Enhanced RBAC, instead of sudo
  7. Leverage RBAC-based auditing to save on disk and cpu cycles with the general security auditing of your systems
  8. Drastically reduce risk by enabling 3rd party commands and scripts to be executed using an RBAC role, instead of requiring root access
  9. Centralize administration of RBAC using the RFC2307AIX schema and LDAP


see: RBAC Workshop

%d bloggers like this: