📖 ~1 min read
Table of contents
Symptom & Impact
RBAC users receive ‘permission denied’ even though a role is assigned.
Environment & Reproduction
Enhanced RBAC enabled but session lacks active role.
rolelist -u user1
swrole role01
tshRoot Cause Analysis
Role authorizations require swrole/login to be reactivated and KST refreshed.
Quick Triage
Confirm role assignment and current session authorizations.
lsuser -a roles user1
rolelist -e
lssec -f /etc/security/user -s user1 -a rolesStep-by-Step Diagnosis
Compare authorized command requirements with active KST entries.
lsauth ALL_AUTHS
lssec -f /etc/security/roles -s role01 -a authorizations
setkst
Solution – Primary Fix
Assign role, refresh KST, and have user run swrole before executing commands.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
chuser roles=role01 user1
setkst
swrole role01
Solution – Alternative Approaches
Use sudo with documented commands or create a fine-grained role with chauth.
Verification & Acceptance Criteria
User executes the privileged command without password rejection.
swrole role01
rolelist -e
Rollback Plan
Remove the role assignment if it grants excessive privilege.
chuser roles= user1
setkst
rolelist -u user1Prevention & Hardening
Document role design, use setkst after changes, and audit with rolelist.
Related Errors & Cross-Refs
Related to sudo escalation, audit subsystem misses, and login banner enforcement.
Related tutorial: View the step-by-step tutorial for aix-7.2.
View all aix-7.2 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
IBM AIX 7.2 security and RBAC administration guide.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
