You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.
Authorization for the Logical Domains Manager has two levels:
Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.
Following are the Logical Domains entries automatically added to the Solaris OS /etc/security/auth_attr file:
solaris.ldoms.:::LDom administration::
solaris.ldoms.grant:::Delegate LDom configuration::
solaris.ldoms.read:::View LDom configuration::
solaris.ldoms.write:::Manage LDom configuration::
Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.
Create a local user account for each user who needs authorization to use the ldm(1M) subcommands.
To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Solaris 10 System Administrator Collection for details.
Do one of the following depending on which ldm(1M) subcommands you want the user to be able to access.
See Table 3–1 for a list of ldm(1M) commands and their user authorizations.
Add a read-only authorization for a user using the usermod(1M) command.
# usermod -A solaris.ldoms.read username |
Add a read and write authorization for a user using the usermod(1M) command.
# usermod -A solaris.ldoms.write username |
Delete all authorizations for a local user account (the only possible option).
# usermod -A `` username |
The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two LDoms-specific profiles are:
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
One of the preceding profiles can be assigned to a user account using the following procedure.
Add an administrative profile for a local user account; for example, LDoms Management.
# usermod -P “LDoms Management” username |
The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role-name command) even if the user has the correct password.
Create a role.
# roleadd -A solaris.ldoms.read ldm_read |
Assign a password to the role.
# passwd ldm_read |
Assign the role to a user; for example, user_1.
# useradd -R ldm_read user_1 |
Assign a password to the user (user_1).
# passwd user_1 |
Assign access only to the user_1 account to become the ldm_read account.
# su user_1 |
Type the user password when or if prompted.
Verify the user ID and access to the ldm_read role.
$ id uid=nn(user_1) gid=nn(<group name>) $ roles ldm_read |
Provide access to the user for ldm subcommands that have read authorization.
# su ldm_read |
Type the user password when or if prompted.
Type the id command to show the user.
$ id uid=nn(ldm_read) gid=nn(<group name>) |