Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace AIX
Created by Guest
Created on May 25, 2017

Enhancements to RBAC access control for user having ARTEX authorizations

Currently if we create a RBAC user with artexget and artexset permissions, he will be able to change any values of the system.
The answer given to the above behavior is that, the RBAC user with artex permissions cannot modify the file himself. Artex user is doing what his role allows him to do, which is execute that file. Values can be changed only by root user.
But as a RBAC user with artex permissions can create his own file and execute, and hence he can change any values of the system. It is security breatch, or access control issue. The documentation for the above scenario is also not available.

Currently the RBAC control is at command-level: If a RBAC user get the permission to run a RBAC command, she/he should have all the privileges to perform all the tasks that the command offers. The RBAC feature doesn't support the RBAC command at the data-level, or object-level, on which the command is running. For example, for rmdev command, we can assign a user to remove all devices using rmdev, but we cannot assign a user to remove only network devices using rmdev command (and the user cannot remove other kinds of devices, like, disks), in the current RBAC design.

This is a limitation of our RBAC design. To extend the RBAC access controls to the data/object level, enhancement to the RBAC framework is required.

At the meantime the enhancement to individual commands can be done, like artex, to limit who can modify the input files to the command, so that we can partially control what the user can do while running the command (assume that the tasks are defined in the input files). That may make the RBAC commands more secure in terms of access controlling, but that breaks the current behaviors of the RBAC command.

Idea priority Medium
  • Guest
    Reply
    |
    Jul 17, 2017

    As suggested, to restrict RBAC users for object level access use RBAC Domain.

  • Guest
    Reply
    |
    Jul 14, 2017

    Hi, please check out this video to see how
    domain RBAC can provide finer granular access control.

    https://www.youtube.com/watch?v=k0jrIAgs6h4

  • Guest
    Reply
    |
    Jun 2, 2017

    There is domain RBAC.

    https://www.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.security/domain_rbac.htm

    Does it satisfy your requirements?