A rights profile is a property of a role. You should create or change a rights profile when the prof_attr database does not contain a rights profile that fulfills your needs. To learn more about rights profiles, see RBAC Rights Profiles.
To create or change a rights profile, you must have assumed the role of Primary Administrator or have switched to superuser.
Use one of the following methods to create or change a rights profile.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to create or change a rights profile in Rights. For more extensive information, see the online help.
This command enables you to add, modify, list, or delete a rights profile. The command works on files, and in a distributed name service, such as NIS, NIS+, or LDAP. The smprofile command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smprofile -D domain-name \ -r admin-role -l <Type admin-role password> \ add | modify -- -n profile-name \ -d description -m help-file -p supplementary-profile |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new profile.
Is a short description of the profile.
Is the name of the HTML help file that you have created and placed in the /usr/lib/help/profiles/locale/C directory.
Is the name of an existing rights profile that is included in this rights profile. You can specify multiple -p supplementary-profile options.
For more command options, see the smprofile(1M) man page.
In the following example, the Network Management rights profile is made a supplementary profile of the Network Security rights profile. The role that contains the Network Security profile can now configure the network and hosts, as well has run security-relevant commands.
$ /usr/sadm/bin/smprofile -D nisplus:/example.host/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n "Network Security" \ -d "Manage network and host configuration and security" \ -m RtNetConfSec.html -p "Network Management" |
The administrator created a new help file, RtNetConfSec.html, and placed it in the /usr/lib/help/profiles/locale/C directory, before running this command.
In the following example, the security administrator of MyCompany customizes the Console User rights profile. Another goal is to retain the customized rights profile when the Solaris OS is updated to a later version.
First, the administrator closes the Solaris Management Console.
Then, the administrator opens the prof_attr file, copies the Console User rights profile to the next line, and renames the second entry. The administrator uses the existing help file, RtConsUser.html.
# vi /etc/security/prof_attr Console User:::Manage System as the Console User:help=RtConsUser.html MyCompany Console User:::Manage System as the Console User:help=RtConsUser.html |
The administrator assumes the secadmin role. The secadmin role can modify the security features of a system. The secadmin role opens the Solaris Management Console, clicks the System Configuration and the Users tool, types the role password, and double-clicks the Rights tool.
The administrator double-clicks the MyCompany Console User rights profile. Under the Authorizations tab, the administrator adds two authorizations to the Authorizations Included list and saves the changes. When the system is patched or updated to a later version of the Solaris OS, the Console User rights profile is updated and the MyCompany Console User rights profile is not changed.
The following table shows sample data for a hypothetical rights profile that is called “Build Administrator”. This rights profile includes the commands in the subdirectory /usr/local/swctrl/bin. These commands have an effective UID of 0. The Build Administrator rights profile would be useful for administrators who manage the builds and versioning for software development.
Tab |
Field |
Example |
---|---|---|
General |
Name |
Build Administrator |
|
Description |
For managing software builds and versioning. |
|
Help File Name |
BuildAdmin.html |
Commands |
Add Directory |
Click Add Directory, type /usr/local/swctrl/bin in the dialog box, and click OK. |
|
Commands Denied / Commands Permitted |
Move /usr/local/swctrl/bin to the Commands Permitted column. |
|
Set Security Attributes |
Select /usr/local/swctrl/bin, click Set Security Attributes, and set Effective UID = root. |
Authorizations |
Authorizations Excluded / Authorizations Included |
No authorizations. |
Supplementary Rights |
Rights Excluded / Rights Included |
No supplementary rights profiles. |
Check the following if the rights profile does not provide the role with the capabilities that you expect:
Are the rights profiles for the role listed in the GUI from most to least powerful?
For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.
Is a command listed more than once in the role's rights profiles? If so, does the first instance of the command have all the security attributes that are required?
For example, a command can require privileges for particular options to the command. For the options that require privileges to succeed, the first instance of the command in the highest rights profile in the list must have the assigned privileges.
Do the commands in the role's rights profiles have the appropriate security attributes?
For example, when the policy is suser, some commands require uid=0 rather than euid=0 to succeed.
Has the name service cache, svc:/system/name-service-cache, been restarted?
The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.