Role Assumption

A role identity can be assumed only when a WBEM user selects the Remote Method Invocation (RMI) protocol. Role assumption is not supported by the XML over HTTP protocol.

The Solaris platform implementation of WBEM supports the ability of a client to assume the identity of a Solaris OS role. When a client assumes the identity of a Solaris OS role, the client is authenticated by the CIMOM on the WBEM server. To check RBAC authorizations, the WBEM server uses the permission that is granted to the assumed role rather than the permission that is granted to the underlying user identity.

RBAC roles are described in more detail in Role-Based Access Control (Overview) in System Administration Guide: Security Services.

The client must provide the Solaris OS role identity and password in addition to a Solaris OS user identity and password when the client attempts to connect.

If the WBEM server cannot verify the Solaris OS role identity, the WBEM server returns a CIM security exception that includes the NO_SUCH_ROLE error.

If the role password is invalid for the specified role identity, the WBEM server returns the INVALID_CREDENTIAL error in the CIM security exception.

If both the role identity and role password are valid, but the user is not allowed to assume the role, the WBEM server returns an exception. The CANNOT_ASSUME_ROLE error is returned in the CIM security exception.