test

System Administration Guide: Security Services

Creating Roles

To create a role, you must either assume a role that has the Primary Administrator rights profile assigned to it or run as root user. See RBAC Roles and Configuring Recommended Roles to learn more about roles.

How to Create a Role by Using the Administrative Roles Tool

  1. Start the Administrative Roles tool.

    Run the Administrative Roles tool, start the Solaris Management Console, as described in How to Assume a Role in the Console Tools. Then, open the User Tool Collection, and click the Administrative Roles icon.

  2. Start the Add Administrative Role wizard.

    Select Add Administrative Role from the Action menu to start the Add Administrative Role wizard for configuring roles.

  3. Fill in the fields in the series of dialog boxes. Click Finish when done.

    Use the Next and Back buttons to navigate between dialog boxes. Note that the Next button does not become active until all required fields have been filled in. The last dialog box is for reviewing the entered data, at which point you can go back to change entries or click Finish to save the new role. Table 6–1 summarizes the dialog boxes.

  4. Open a terminal window, become root, and start and stop the name service cache daemon.

    The new role does not take effect until the name service cache daemon is restarted. After becoming root, type as follows:


    # /etc/init.d/nscd stop
# /etc/init.d/nscd start
Table 6–1 Add Administrative Role Wizard: Dialog Boxes and Fields

Dialog Box 

Fields 

Field Description 

Step 1: Enter a role name 

Role Name 

Short name of the role. 

 

Full Name 

Long version of the name. 

 

Description 

Description of the role. 

 

Role ID Number 

UID for the role, automatically incremented. 

 

Role Shell 

The profile shells that are available to roles: Administrator's C, Administrator's Bourne, or Administrator's Korn shell. 

 

Create a role mailing list 

Makes a mailing list for users who are assigned to this role. 

Step 2: Enter a role password 

Role Password 

******** 

 

Confirm Password 

******** 

Step 3: Select role rights 

Available Rights / Granted Rights 

Assigns or removes a role's rights profiles. 

Note that the system does not prevent you from typing multiple occurrences of the same command. The attributes that are assigned to the first occurrence of a command in a rights profile have precedence and all subsequent occurrences are ignored. Use the Up and Down arrows to change the order. 

Step 4: Select a home directory 

Server 

Server for the home directory. 

 

Path 

Home directory path. 

Step 5: Assign users to this role 

Add 

Adds users who can assume this role. Must be in the same scope. 

 

Delete 

Deletes users who are assigned to this role. 

How to Create a Role From the Command Line

  1. Become superuser or assume a role that is capable of creating other roles.

  2. Select a method for creating a role:

    • For roles in the local scope, use the roleadd command to specify a new local role and its attributes.

    • Alternatively, for roles in the local scope, edit the user_attr file to add a user with type=role.

      This method is recommended for emergencies only, as it is easy to make mistakes while you are typing.

    • For roles in a name service, use the smrole command to specify the new role and its attributes.

      This command requires authentication by superuser or a role that is capable of creating other roles. You can apply the smrole to all name services. This command runs as a client of the Solaris Management Console server.

  3. Start and stop the name service cache daemon.

    New roles do not take effect until the name service cache daemon is restarted. As root, type as follows:


    # /etc/init.d/nscd stop
# /etc/init.d/nscd start
Example 6–1 Creating a Custom Operator Role by Using the smrole Command

The following sequence demonstrates how a role is created with the smrole command. In this example, a new version of the Operator role is created that has assigned to it the standard Operator rights profile and the Media Restore rights profile. 


% su primaryadmin 
# /usr/sadm/bin/smrole add -H myHost -- -c "Custom Operator" -n oper2 -a johnDoe \
-d /export/home/oper2 -F "Backup/Restore Operator" -p "Operator" -p "Media Restore"
Authenticating as user: primaryadmin

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <type primaryadmin password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadmin was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password ::<type oper2 password>

# /etc/init.d/nscd stop
# /etc/init.d/nscd start

To view the newly created role (and any other roles), use smrole with the list subcommand, as follows:


# /usr/sadm/bin/smrole list --
Authenticating as user: primaryadmin

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <type  primaryadmin password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadmin was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.
root                    0               Super-User
primaryadmin            100             Most powerful role
sysadmin                101             Performs non-security admin tasks
oper2                   102             Backup/Restore Operator