You set up authorization and profiles and assign roles for user accounts using the Oracle Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.
Authorization for the Logical Domains Manager has two levels:
Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.
Following are the Logical Domains entries automatically added to the Oracle Solaris OS /etc/security/auth_attr file:
solaris.ldoms.grant:::Delegate LDom configuration::
solaris.ldoms.read:::View LDom configuration::
solaris.ldoms.write:::Manage LDom configuration::
Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.
Note - To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Oracle Solaris OS System Administrator Collection for details.
See Table 3-1 for a list of ldm(1M) commands and their user authorizations.
Add a read-only authorization for a user using the usermod(1M) command.
# usermod -A solaris.ldoms.read username
Add a read and write authorization for a user using the usermod(1M) command.
# usermod -A solaris.ldoms.write username
# usermod -A `` username
The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two Logical Domains-specific profiles are:
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
The SUNWldm package also defines the following execution attribute that is associated with the LDoms Management profile:
One of the preceding profiles can be assigned to a user account using the following procedure.
Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see the Oracle Solaris 10 System Administrator Collection.
# usermod -P “LDoms Management” username
# usermod -P `` username
The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role-name command) even if the user has the correct password.
# roleadd -P "LDoms Review" ldm_read
# passwd ldm_read
For example, user_1.
# useradd -R ldm_read user_1
# passwd user_1
# su user_1
$ id uid=nn(user_1) gid=nn(group-name) $ roles ldm_read
# su ldm_read
$ id uid=nn(ldm_read) gid=nn(group-name)