Users and roles can run privileged applications from a profile shell. A profile shell is a special shell that recognizes rights. Administrators can assign a profile shell to users as a login shell, or the profile shell is started when a user runs the pfexec command or the su command to assume a role. In Oracle Solaris, every shell has a profile shell counterpart. For a list of profile shells, see the pfexec (1) man page.
Users who are directly assigned a rights profile and whose login shell is not a profile shell must open a profile shell to run the privileged commands that they are assigned. Users and roles who are assigned an authenticated rights profile are prompted to authenticate, that is, to provide a password before the command can execute. For usability and security considerations, see Considerations When Assigning Rights.