test

System Administration Guide: Security Services

RBAC Database Relationships

Each RBAC database uses a key=value syntax for storing attributes. This method accommodates future expansion of the databases. The method also enables a system to continue to operate if the system encounters a keyword that is unknown to its policy. The key=value contents link the files. The following linked entries from the four databases illustrate how the RBAC databases work together.

Example 10–1 Showing RBAC Database Connections

In the following example, the user jdoe gets the capabilities of the File System Management profile through being assigned the role filemgr.

  1. The user jdoe is assigned the role filemgr in the jdoe user entry in the user_attr database.


    # user_attr - user definition
jdoe::::type=normal;roles=filemgr

  2. The role filemgr is assigned the rights profile File System Management in the role's entry in the user_attr database.


    # user_attr - role definition
filemgr::::profiles=File System Management;type=role

    The user and the role are uniquely defined in the passwd and shadow files on the local system, or in equivalent databases in a distributed name service.

  3. The File System Management rights profile is defined in the prof_attr database. This database also assigns three sets of authorizations to the File System Management entry.


    # prof_attr - rights profile definitions and assigned authorizations
File System Management:::Manage, mount, share file systems:
help=RtFileSysMngmnt.html;
auths=solaris.admin.fsmgr.*,solaris.admin.diskmgr.*,solaris.admin.volmgr.*

  4. The authorizations are defined in the auth_attr database.


    # auth_attr - authorization definitions
solaris.admin.fsmgr.:::Mounts and Shares::help=AuthFsmgrHeader.html
solaris.admin.fsmgr.read:::View Mounts and Shares::help=AuthFsmgrRead.html
solaris.admin.fsmgr.write:::Mount and Share Files::help=AuthFsmgrWrite.html

  5. The File System Management rights profile is assigned commands with security attributes in the exec_attr database.


    # exec_attr - rights profile names with secured commands
File System Management:suser:cmd:::/usr/sbin/mount:uid=0
File System Management:suser:cmd:::/usr/sbin/dfshares:euid=0
…
File System Management:solaris:cmd:::/usr/sbin/mount:privs=sys_mount
…