Create Rights Profiles That Enforce Separation of Duty

Skip this procedure if separation of duty is not a site security requirement. If your site requires separation of duty, you must create these rights profiles and roles before you populate the LDAP server.

This procedure creates rights profiles that have discrete capabilities to manage users. When you assign these profiles to distinct roles, two roles are required to create and configure users. One role can create users, but cannot assign security attributes. The other role can assign security attributes, but cannot create users. When you log in to the Solaris Management Console in a role that is assigned one of these profiles, only the appropriate tabs and fields are available to the role.

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role. When you start this procedure, the Solaris Management Console must be closed.

1. Create copies of the default rights profiles that affect user configuration.

   1. Copy the prof_attr file to the prof_attr.orig file.

   2. Open the prof_attr file in the trusted editor.

      # /usr/dt/bin/trusted_edit /etc/security/prof_attr

   3. Copy the three rights profiles and rename the copies.

      System Administrator:::Can perform most non-security... Custom System Administrator:::Can perform most non-security... User Security:::Manage passwords... Custom User Security:::Manage passwords... User Management:::Manage users, groups, home... Custom User Management:::Manage users, groups, home...

   4. Save the changes.

   5. Verify the changes.

      # grep ^Custom /etc/security/prof_attr Custom System Administrator:::Can perform most non-security... Custom User Management:::Manage users, groups, home... Custom User Security:::Manage passwords...

   Copying a rights profile rather than modifying it enables you to upgrade the system to a later Solaris release and retain your changes. Because these rights profiles are complex, modifying a copy of the default profile is less prone to error than building the more restrictive profile from scratch.

2. Start the Solaris Management Console.

   # /usr/sbin/smc &

3. Select the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.

4. Click System Configuration, then click Users.

   You are prompted for your password.

5. Type the appropriate password.

6. Double-click Rights.

7. Modify the Custom User Security rights profile.

   You restrict this profile from creating a user.

   1. Double-click Custom User Security.

   2. Click the Authorizations tab, then perform the following steps:

      1. From the Included list, remove the Manage Users and Roles authorization.

         The following User Accounts rights remain:

         Audit Controls Label and Clearance Range Change Password View Users and Roles Modify Extended Security Attributes

      2. Add the Manage Privileges right to the Included list.

   3. Click OK to save your changes.

8. Modify the Custom User Management profile.

   You restrict this profile from setting a password.

   1. Double-click Custom User Management.

   2. Click the Authorizations tab, then perform the following steps:

      1. Drag the scrollbar for the Included list to User Accounts.

      2. From the Included list, remove the Modify Extended Security Attributes authorization.

         The following User Accounts rights remain:

         Manage Users and Roles View Users and Roles

   3. Save your changes.

9. Modify the Custom System Administrator rights profile.

   The User Management profile is a supplementary profile in this profile. You prevent the system administrator from setting a password.

   1. Double-click Custom System Administrator.

   2. Click the Supplementary Rights tab, then perform the following steps:

      1. Remove the User Management rights profile.

      2. Add the Custom User Management rights profile.

      3. Move the Custom User Management rights profile above the All rights profile.

   3. Save your changes.

Next Steps

To prevent the default profiles from being used, see Step 7 in Verify That the Trusted Extensions Roles Work after you verify that the custom profiles enforce separation of duty.