Solaris WBEM Services Administrator's Guide


There are two separate mechanisms for administering security within the Solaris operating environment, WBEM ACL (access control list) based and Solaris RBAC (role-based access control) .

The classes defined in the Solaris_Acl1.0.mof file are used to implement ACL-based security. This provides a default authorization scheme for the Solaris WBEM Services, and applies to all CIM operations. This feature is specific to the Solaris WBEM Services.

Instances of the Solaris_Acl1.0.mof classes determine the default authorizations assigned to a WBEM user and/or namespace. Provider programs, however, are allowed to override this scheme for CIM operations relating to instance manipulation; the Sun Solaris providers use the RBAC scheme to do this.

You can use the (/usr/sadm/bin/wbemadmin) to add users to existing ACLs with either read or write permissions. See "Using the Sun WBEM User Manager to Set Access Control". You can also write WBEM applications using the Solaris_Acl1.0.mof classes to set access control. See "Using the APIs to Set Access Control".

The classes defined in the Solaris_Users1.0.mof file are used to implement Solaris RBAC security for defining user roles and priveleges, via the tool of the . The SMC tool lets you add users to existing roles and grant RBAC rights to existing users. (An RBAC right is managed in the portion of the SMC tool.) See "Solaris Management Console Tool".

Sun WBEM Security Features

The CIM Object Manager validates a user's login information for the machine on which the CIM Object Manager is running. A validated user is granted some form of controlled access to the entire Common Information Model (CIM) Schema. The CIM Object Manager does not provide security for system resources such as individual classes and instances. However, the CIM Object Manager does allow control of global permissions on namespace and access control on a per-user basis.

The following security features protect access to CIM objects on a WBEM-enabled system:

Note that no digital signing of messages is performed.


When a user logs in and enters a user name and password, the client uses the password to generate an encrypted digest which the server verifies. When the user is authenticated, the CIM Object Manager sets up a client session. All subsequent operations occur within that secure client session and contain a MAC token which uses the session key negotiated during authentication.


Once the CIM Object Manager has authenticated the user's identity, that identity can be used to verify whether the user should be allowed to execute the application or any of its tasks. The CIM Object Manager supports capability-based authorization, which allows a privileged user to assign read and write access to specific users. These authorizations are added to existing Solaris user accounts.

Solaris Management Console Tool

The SMC tool lets you add users to existing roles and grant RBAC rights to existing users. (An RBAC right is managed in the portion of the SMC tool.)

To Start SMC and Tool
  1. Change to the location of the SMC invocation command by typing the following:

    # cd /usr/sbin

  2. Start SMC by typing the following command:

    # smc

  3. Double-click on "This Computer" (or single-click the expand/compress icon next to it) in the left-hand Navigation panel to expand the tree beneath it. Do the same for "System Configuration", and you will see the Users icon underneath.

  4. Click on the Users icon to start the application.

Figure 3-1 Solaris Management Console, with Users Tool Selected


For more information on the , see the man page smc(1M).