I needed to setup Role Based Authentication on the VIO Servers to allow the storage team to allocate storage to LPARs but I did not want to allow them full access.  VIOS Role Based Authentication was the solution and I finally got it working once I discovered the need to run the setkst command once roles and users were created.  The setkst command updates the running kerel tables that allow roles to work.

The following is just an example for setting up role based authentication.  A full list of roles and options is avaiable at the IBM web site.    IBM Role Base Authentication

 

# Create the role.

mkrole authorizations=vios.device,vios.oemsetupenv,vios.system.config.hostname STGAdmin

vios.system.config.hostname was added to allow the PS1 prompt to display the VIO Server hostname.

vios.device allows the user to update, create or remove devices.  As this is a parent authorization, the user also gets access to the child roles, vios.device.config and vios.device.manage.  vios.device.config allows the user to run cfgdev, while vios.device.config allows rmdev and/or mkdev commands.

vios.oemsetupenv allows the user to run the oem_setup_env command, as this was needed to access EMC PowerPath software.

# Create the user.

mkuser  -attr roles=STGadmin default_roles=STGadmin stguser1

 

# Reload the Kernel Tables.

setkst

Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.