|
|
adminrole [-a [cmd:path[:priv[:priv ...]][, ...]] role ... [-r cmd[:priv[:priv ...]][, ...]] role ...
adminrole [-d] role ...
adminrole
A role contains a list of commands. Each command contains a (possibly empty) list of privileges. The tfadmin command will use these privileges to set up its process before it invokes this command for a member of the role. The adminrole command has the following options:
The adminrole command takes as its arguments the list of roles to which the actions specified by the options applies. The argument to the -a or -r option is a comma-separated list of command descriptions. For the -a option, the command description includes the name of the command to be added, the full path at which the command file resides, and the privilege set, represented by a colon-separated list of privilege names (for example, mount:/etc/mount:macread:mount). There is no limit on the length of the path name; however, / (``root'' or ``slash'') alone may not be specified.
The command description for the -r option is the same as for the -a option except that the full path and the separating colon are not given (for example, mount:macread:mount).
If users in the specified role(s) get no privilege when they invoke the command, the privilege description may be omitted; that is, if the definition to be removed does not have any privileges associated with it (it merely provides an alias for the command), then you do not have to specify privileges when removing that definition.
Note that in any case when you use the -r option and you do not specify privileges, the definition is removed entirely from that role. Future attempts to use that command in that role with tfadmin will return errors. If you do specify privileges, then only those privileges are removed from the definition. This can leave you with a definition that has no privilege associated with it. In this case, users in that role can run the command with tfadmin, but will gain no privileges by doing so. The command will function solely as an alias for the path provided in the definition.
The -n and -r options may not be used together. Doing so will cause an error, since incompatible options have been specified.
If the -d is used in an attempt to delete a non-existent role, an error will result.
The following diagnostic messages are printed by adminrole: