Customizing Device Authorizations in Trusted Extensions (Task Map)
The following task map describes procedures to change device authorizations at your site.
|
Task |
Description |
For Instructions |
|---|---|---|
|
Create new device authorizations. |
Creates site-specific authorizations. | |
|
Add authorizations to a device. |
Adds site-specific authorizations to selected devices. |
How to Add Site-Specific Authorizations to a Device in Trusted Extensions |
|
Assign device authorizations to users and roles. |
Enables users and roles to use the new authorizations. |
How to Create New Device Authorizations
If no authorization is specified at the time a device is created, by default, all users can use the device. If an authorization is specified, then, by default, only authorized users can use the device.
To prevent all access to an allocatable device without using authorizations, see Example 17–1.
Before You Begin
You must be in the Security Administrator role in the global zone.
-
Edit the auth_attr file.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
-
Create a heading for the new authorizations.
Use the reverse-order Internet domain name of your organization followed by optional additional arbitrary components, such as the name of your company. Separate components by dots. End heading names with a dot.
domain-suffix.domain-prefix.optional.:::Company Header::help=Company.html
-
Add new authorization entries.
Add the authorizations, one authorization per line. The lines are split for display purposes. The authorizations include grant authorizations that enable administrators to assign the new authorizations.
domain-suffix.domain-prefix.grant:::Grant All Company Authorizations:: help=CompanyGrant.html domain-suffix.domain-prefix.grant.device:::Grant Company Device Authorizations:: help=CompanyGrantDevice.html domain-suffix.domain-prefix.device.allocate.tape:::Allocate Tape Device:: help=CompanyTapeAllocate.html domain-suffix.domain-prefix.device.allocate.floppy:::Allocate Floppy Device:: help=CompanyFloppyAllocate.html
-
Save the file and close the editor.
-
If you are using LDAP as your naming service, update the auth_attr entries on the Sun Java System Directory Server (LDAP server).
For information, see the ldapaddent(1M) man page.
-
Add the new authorizations to the appropriate rights profiles. Then assign the profiles to users and roles.
Use the Solaris Management Console. Assume the Security Administrator role, then follow the Solaris procedure How to Create or Change a Rights Profile in System Administration Guide: Security Services.
-
Use the authorization to restrict access to tape and diskette drives.
Add the new authorizations to the list of required authorizations in the Device Allocation Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions.
Example 17–4 Creating Fine-Grained Device Authorizations
A security administrator for NewCo needs to construct fine-grained device authorizations for the company.
First, the administrator writes the following help files, and places the files in the /usr/lib/help/auths/locale/C directory:
Newco.html NewcoGrant.html NewcoGrantDevice.html NewcoTapeAllocate.html NewcoFloppyAllocate.html |
Next, the administrator adds a header for all of the authorizations for newco.com in the auth_attr file.
# auth_attr file com.newco.:::NewCo Header::help=Newco.html |
Next, the administrator adds authorization entries to the file:
com.newco.grant:::Grant All NewCo Authorizations:: help=NewcoGrant.html com.newco.grant.device:::Grant NewCo Device Authorizations:: help=NewcoGrantDevice.html com.newco.device.allocate.tape:::Allocate Tape Device:: help=NewcoTapeAllocate.html com.newco.device.allocate.floppy:::Allocate Floppy Device:: help=NewcoFloppyAllocate.html |
The lines are split for display purposes.
The auth_attr entries create the following authorizations:
-
An authorization to grant all NewCo's authorizations
-
An authorization to grant NewCo's device authorizations
-
An authorization to allocate a tape drive
-
An authorization to allocate a diskette drive
Example 17–5 Creating Trusted Path and Non-Trusted Path Authorizations
By default, the Allocate Devices authorization enables allocation from the trusted path and from outside the trusted path.
In the following example, site security policy requires restricting remote CD-ROM allocation. The security administrator creates the com.someco.device.cdrom.local authorization. This authorization is for CD-ROM drives that are allocated with the trusted path. The com.someco.device.cdrom.remote authorization is for those few users who are allowed to allocate a CD-ROM drive outside the trusted path.
The security administrator creates the help files, adds the authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The profiles are assigned to users who are allowed to allocate devices.
-
The following are the auth_attr database entries:
com.someco.:::SomeCo Header::help=Someco.html com.someco.grant:::Grant All SomeCo Authorizations:: help=SomecoGrant.html com.someco.grant.device:::Grant SomeCo Device Authorizations:: help=SomecoGrantDevice.html com.someco.device.cdrom.local:::Allocate Local CD-ROM Device:: help=SomecoCDAllocateLocal.html com.someco.device.cdrom.remote:::Allocate Remote CD-ROM Device:: help=SomecoCDAllocateRemote.html
-
The following is the Device Allocation Manager assignment:
The Trusted Path enables authorized users to use the Device Allocation Manager when allocating the local CD-ROM drive.
Device Name: cdrom_0 For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: com.someco.device.cdrom.local
The Non-Trusted Path enables users to allocate a device remotely by using the allocate command.
Device Name: cdrom_0 For Allocations From: Non-Trusted Path Allocatable By: Authorized Users Authorizations: com.someco.device.cdrom.remote
-
The following are the rights profile entries:
# Local Allocator profile com.someco.device.cdrom.local # Remote Allocator profile com.someco.device.cdrom.remote
-
The following are the rights profiles for authorized users:
# List of profiles for regular authorized user Local Allocator Profile ... # List of profiles for role or authorized user Remote Allocator Profile ...
How to Add Site-Specific Authorizations
to a Device in Trusted Extensions
Before You Begin
You must be in the Security Administrator role, or in a role that includes the Configure Device Attributes authorization. You must have already created site-specific authorizations, as described in How to Create New Device Authorizations.
-
Follow the How to Configure a Device in Trusted Extensions procedure.
-
Select a device that needs to be protected with your new authorizations.
-
Open the Device Administration dialog box.
-
In the Device Configuration dialog box, click the Authorizations button.
The new authorizations are displayed in the Not Required list.
-
Add the new authorizations to the Required list of authorizations.
-
-
To save your changes, click OK.
How to Assign Device Authorizations
The Allocate Device authorization enables users to allocate a device. The Allocate Device authorization, and the Revoke or Reclaim Device authorization, are appropriate for administrative roles.
Before You Begin
You must be in the Security Administrator role in the global zone.
If the existing profiles are not appropriate, the security administrator can create a new profile. For an example, see How to Create a Rights Profile for Convenient Authorizations.
-
Assign to the user a rights profile that contains the Allocate Device authorization.
For assistance, see the online help. For the step-by-step procedure, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services.
The following rights profiles enable a role to allocate devices:
-
All Authorizations
-
Device Management
-
Media Backup
-
Media Restore
-
Object Label Management
-
Software Installation
The following rights profiles enable a role to revoke or reclaim devices:
-
All Authorizations
-
Device Management
The following rights profiles enable a role to create or configure devices:
-
All Authorizations
-
Device Security
-
Example 17–6 Assigning New Device Authorizations
-
Creates new device authorizations, as in How to Create New Device Authorizations
-
In the Device Allocation Manager, adds the new device authorizations to the tape and diskette drives
-
Places the new authorizations in the rights profile, NewCo Allocation
-
Adds the NewCo Allocation rights profile to the profiles of users and roles who are authorized to allocate tape and diskette drives
In this example, the security administrator configures the new device authorizations for the system and assigns the rights profile with the new authorizations to trustworthy users. The security administrator does the following:
Authorized users and roles can now use the tape drives and diskette drives on this system.
- © 2010, Oracle Corporation and/or its affiliates