How to Assign Privileges to a User or Role

You might trust some users with a particular privilege all the time. Very specific privileges that affect a small part of the system are good candidates for assigning to a user. For a discussion of the implications of directly assigned privileges, see Security Considerations When Directly Assigning Security Attributes.

The following procedure enables user jdoe to use high resolution timers.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Add the privilege that affects high resolution times to the user's initial inheritable set of privileges.

   $ usermod -K defaultpriv=basic,proc_clock_highres jdoe

   The values for the defaultpriv keyword replace the existing values. Therefore, for the user to retain the basic privileges, the value basic must be specified. In the default configuration, all users have basic privileges.

3. Read the resulting user_attr entry.

   $ grep jdoe /etc/user_attr jdoe::::type=normal;defaultpriv=basic,proc_clock_highres

Example 11–6 Creating a Role With Privileges to Configure System Time

In this example, a role is created whose only task is to handle time on the system.

$ /usr/sadm/bin/smrole -D nisplus:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
add -- -n clockmgr \
-c "Role that sets system time" \
-F "Clock Manager" \
-s /bin/pfksh \
-u 108 \
-P <Type clockmgr password> \
-K defaultpriv=basic,proc_priocntl,sys_cpu_config,
proc_clock_highres,sys_time

The -K line is wrapped for display purposes.

If the role was created locally, the user_attr entry for the role would appear similar to the following:

clockmgr:::Role that sets system time:
type=role;defaultpriv=basic,proc_priocntl,sys_cpu_config,
proc_clock_highres,sys_time