{
    "version": "3.0.0",
    "storage": {
        "method": "json",
        "settings": {
            "immutable": true,
            "path": "/etc/security/rootasrole.json"
        }
    },
    "options": {
        "timeout": {
            "type": "ppid",
            "duration": "00:05:00"
        },
        "path": {
            "default": "delete",
            "add": [
                "/usr/local/sbin",
                "/usr/local/bin",
                "/usr/sbin",
                "/usr/bin",
                "/sbin",
                "/bin",
                "/snap/bin"
            ]
        },
        "env": {
            "default": "delete",
            "keep": [
                "HOME",
                "USER",
                "LOGNAME",
                "COLORS",
                "DISPLAY",
                "HOSTNAME",
                "KRB5CCNAME",
                "LS_COLORS",
                "PS1",
                "PS2",
                "XAUTHORY",
                "XAUTHORIZATION",
                "XDG_CURRENT_DESKTOP"
            ],
            "check": [
                "COLORTERM",
                "LANG",
                "LANGUAGE",
                "LC_.*",
                "LINGUAS",
                "TERM",
                "TZ"
            ],
            "delete" : [
                "PS4",
                "SHELLOPTS",
                "PERLLIB",
                "PERL5LIB",
                "PERL5OPT",
                "PYTHONINSPECT"
            ]
        },
        "root": "user",
        "bounding": "strict",
        "wildcard-denied": ";&|"
    },
    "roles": [
        {
            "name": "r_root",
            "actors": [
                {
                    "type": "user",
                    "name": "ROOTADMINISTRATOR"
                },
                {
                    "type": "user",
                    "name": "root"
                }
            ],
            "tasks": [
                {
                    "name": "t_root",
                    "purpose": "access to every commands",
                    "cred": {
                        "setuid": "root",
                        "setgid": "root",
                        "capabilities": {
                            "default": "all",
                            "sub": ["CAP_LINUX_IMMUTABLE"]
                        }
                    },
                    "commands": {
                        "default": "all"
                    }
                },
                {
                    "name": "t_chsr",
                    "purpose": "Configure RootAsRole",
                    "cred": {
                        "setuid": "root",
                        "setgid": "root",
                        "capabilities": {
                            "default": "none",
                            "add": ["CAP_LINUX_IMMUTABLE"]
                        }
                    },
                    "commands": {
                        "default": "none",
                        "add": [
                            "/usr/bin/chsr .*"
                        ]
                    }
                },
                {
                    "name": "t_capable",
                    "purpose": "access to every commands",
                    "cred": {
                        "capabilities": {
                            "default": "all",
                            "sub": ["CAP_LINUX_IMMUTABLE"]
                        }
                    },
                    "commands": {
                        "default": "none",
                        "add": [
                            "/usr/bin/capable .*"
                        ]
                    }
                }
            ]
        }
    ]
}