The Solaris Management Console GUI is the preferred method for managing RBAC. To use the GUI, see How to Create and Assign a Role by Using the GUI. You can also use the command-line interfaces, as described in this procedure.
Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. You can use both tools to administer RBAC, but you cannot use both concurrently.
To create a role, you must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.
Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Choose one of the following commands to create a role on the command line.
For roles in the local name service scope, use the roleadd command.
The roleadd command is more limited than the Solaris Management Console GUI or command-line interfaces. After running the roleadd command, you must run the usermod command to assign the role to a user. And, the user then must set the password for the role, as shown in How to Assign a Role to a Local User.
# roleadd -c comment \ -g group -m homedir -u UID -s shell \ -P profile rolename |
Is a comment that describes rolename.
Is the group assignment for rolename.
Is the path to the home directory for rolename.
Is the UID for rolename.
Is the login shell for rolename. This shell must be a profile shell.
Is one or more rights profiles for rolename.
Is the name of the new local role.
Use the smrole add command.
This command creates a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ add -- -n rolename -a rolename -d directory\ -F full-description -p profile |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new role.
Is the comment that describes the capabilities of the role.
Is the name of the user who can assume rolename.
Is the home directory for rolename.
Is the full description for rolename. This description is displayed in the Solaris Management Console GUI.
Is a rights profile that is included in the capabilities of rolename. This option gives commands with administrative capabilities to the role. You can specify multiple -p profile options.
To put the changes into effect, see How to Assign a Role to a Local User.
The smrole command specifies a new role and its attributes in a name service. In the following example, the Primary Administrator creates a new version of the Operator role. The role includes the standard Operator rights profile as well as the Media Restore rights profile. Note that the command prompts you for a password for the new role.
% su - primaryadm Password: <Type primaryadm password> $ /usr/sadm/bin/smrole add -H myHost -- -c "Backup and Restore Operator" \ -n operadm2 -a janedoe -d /export/home/operadm \ -F "Backup/Restore Operator" -p "Operator" -p "Media Restore" Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password ::<Type operadm2 password> $ svcadm restart system/name-service-cache |
The smrole command with the list subcommand is used to display the new role:
$ /usr/sadm/bin/smrole list -- Authenticating as user: primaryadm Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <Type primaryadm password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadm was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. root 0 Superuser primaryadm 100 Most powerful role sysadmin 101 Performs non-security admin tasks operadm 102 Backup Operator operadm2 103 Backup/Restore Operator |