Logical Domains 1.3 Administration Guide

Creating Authorization and Profiles and Assigning Roles for User Accounts

You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.

Authorization for the Logical Domains Manager has two levels:

Following are the Logical Domains entries automatically added to the Solaris OS /etc/security/auth_attr file:

Managing User Authorizations

ProcedureAdd an Authorization for a User

Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.

  1. Create a local user account for each user who needs authorization to use the ldm(1M) subcommands.


    Note –

    To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Solaris 10 System Administrator Collection for details.


  2. Do one of the following depending on which ldm(1M) subcommands you want the user to be able to access.

    See Table 3–1 for a list of ldm(1M) commands and their user authorizations.

    • Add a read-only authorization for a user using the usermod(1M) command.


      # usermod -A solaris.ldoms.read username
      
    • Add a read and write authorization for a user using the usermod(1M) command.


      # usermod -A solaris.ldoms.write username
      

ProcedureDelete All Authorizations for a User

  1. Delete all authorizations for a local user account (the only possible option).


    # usermod -A `` username
    

Managing User Profiles

The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two LDoms-specific profiles are:

One of the preceding profiles can be assigned to a user account using the following procedure.

ProcedureAdd a Profile for a User

  1. Add an administrative profile for a local user account; for example, LDoms Management.


    # usermod -P “LDoms Management” username
    

ProcedureDelete All Profiles for a User

  1. Delete all profiles for a local user account (the only possible option).


    # usermod -P `` username
    

Assigning Roles to Users

The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role-name command) even if the user has the correct password.

ProcedureCreate a Role and Assign the Role to a User

  1. Create a role.


    # roleadd -A solaris.ldoms.read ldm_read
    
  2. Assign a password to the role.


    # passwd ldm_read
    
  3. Assign the role to a user; for example, user_1.


    # useradd -R ldm_read user_1
    
  4. Assign a password to the user (user_1).


    # passwd user_1
    
  5. Assign access only to the user_1 account to become the ldm_read account.


    # su user_1
    
  6. Type the user password when or if prompted.

  7. Verify the user ID and access to the ldm_read role.


    $ id
    uid=nn(user_1) gid=nn(<group name>)
    $ roles
    ldm_read
  8. Provide access to the user for ldm subcommands that have read authorization.


    # su ldm_read
    
  9. Type the user password when or if prompted.

  10. Type the id command to show the user.


    $ id
    uid=nn(ldm_read) gid=nn(<group name>)