Using the Solaris Management Tools With RBAC (Task Map)

This task map describes the tasks to do if you want to use the Role-Based Access Control (RBAC) security features rather than use the superuser account to perform administration tasks.

---

Note –

The information in this chapter describes how to use the console with RBAC. RBAC overview and task information is included to show you how to initially setup RBAC with the console.

For detailed information on RBAC and using it with other applications, see “Role-Based Access Control (Overview)” in System Administration Guide: Security Services.

---

Task	Description	For Instructions
1. Start the console	If your user account is already set up, start the console as yourself, and then log in to the console as root. If you do not have a user account set up, become superuser first, and then start the console.	How to Start the Console as Superuser or as a Role
2. Add a user account for yourself	Add a user account for yourself if you do not have one already.	Solaris Management Console online help
3. Create the Primary Administrator role	Create the Primary Administrator role and add yourself to this role.	How to Create the First Role (Primary Administrator)
4. Assume the Primary Administrator role	Assume the Primary Administrator role after you have created this role.	How to Assume the Primary Administrator Role
5. (Optional) Make root a role	Make root a role and add yourself to the root role so that no other user can use the su command to become root.	“Making a Role” in System Administration Guide: Security Services
6. (Optional) Create other administrative roles	Create other administrative roles and grant the appropriate rights to each role. Then, add the appropriate users to each role.	“How to Create a Role by Using the Administrative Roles Tool” in System Administration Guide: Security Services

The following sections provide overview information and step-by-step instructions for using the Solaris Management Console and the RBAC security features.

If You Are the First to Log In to the Console

If you are the first administrator to log in to the console, start the console as a user (yourself), and then log in as superuser. This method gives you complete access to all the console tools.

Here are the general steps, depending on whether or not you are using RBAC:

• Without RBAC – If you choose not to use RBAC, continue working as superuser. All other administrators will also need root access to perform their jobs.

• With RBAC – You'll need to do the following:

  • Set up your user account, if you do not already have one.

  • Create the role called Primary Administrator.

  • Assign the Primary Administrator right to the role you are creating.

  • Assign your user account to this role.

    For step-by-step instructions on creating the Primary Administrator role, see How to Create the First Role (Primary Administrator).

    For an overview on configuring RBAC to use roles, see “Configuring RBAC (Task Map)” in System Administration Guide: Security Services.

Creating the Primary Administrator Role

An administrative role is a special user account. Users who assume a role are permitted to perform a pre-defined set of administrative tasks.

The Primary Administrator role is permitted to perform all administrative functions, similar to superuser.

If you are superuser, or a user assuming the Primary Administrator role, you can define which tasks other administrators are permitted to perform. With the help of the Add Administrative Role wizard, you can create a role, grant rights to the role, and then specify which users are permitted to assume that role. A right is a named collection of commands, or authorizations, for using specific applications or for performing specific functions within an application, and other rights, whose use can be granted or denied by an administrator.

You are prompted for the following information when you create the Primary Administrator role:

Table 2–2 Item Descriptions for Adding a Role by Using the Console

Item	Description
Role Name	Selects the name an administrator uses to log in to a specific role.
Full Name	Provides a full, descriptive name of this role. (Optional)
Description	Further description of this role.
Role ID Number	Selects the identification number assigned to this role. This number is the same as the set of identifiers for UIDs.
Role Shell	Selects the shell that runs when a user logs into a terminal or console window and assumes a role in that window.
Create a role mailing list	Creates a mailing list with the same name as the role, if checked. You can use this list to send email to everyone assigned to the role.
Role Password and Confirm Password	Sets and confirms the role password and password.
Available Rights and Granted Rights	Assigns rights to this role by choosing from the list of Available Rights and adding them to the list of Granted Rights.
Select a home directory	Selects the home directory server where this role's private files will be stored.
Assign users to this role	Adds specific users to the role so they can assume the role to perform specific tasks.

For detailed information about Role-Based Access Control, and how to use roles to create a more secure environment, see “Role-Based Access Control (Overview)” in System Administration Guide: Security Services.

How to Create the First Role (Primary Administrator)

This procedure describes how to create the Primary Administrator role and then assign it to your user account. This procedure assumes that your user account is already created.

1. Start the console as yourself.

   % /usr/sadm/bin/smc &

   For additional information on starting the console, see How to Start the Console as Superuser or as a Role.

   See the console online help if you need to create a user account for yourself.

2. Click This Computer icon in the Navigation pane.

3. Click System Configuration->Users->Administrative Roles.

4. Click Action->Add Administrative Role.

   The Add Administrative Role wizard opens.

5. Create the Primary Administrator role with the Administrative Role wizard by following these steps.

   1. Identify the role name, full role name, description, role ID number, role shell, and whether you want to create a role mailing list. Click Next.

   2. Set and confirm the role password. Click Next.

   3. Select the Primary Administrator right from the Available Rights column and add it to Granted Rights column. Click Next.

   4. Select the home directory for the role. Click Next.

   5. Assign yourself to the list of users who can assume the role. Click Next.

   If necessary, see Table 2–2 for a description of the role items.

6. Click Finish.

How to Assume the Primary Administrator Role

After you have created the Primary Administrator role, log in to the console as yourself, and then assume the Primary Administrator role.

When you assume a role, you take on all the attributes of that role, including the rights. At the same time, you relinquish all of your own user properties.

1. Start the console.

   % /usr/sadm/bin/smc &

   For information on starting the console, see How to Start the Console as Superuser or as a Role.

2. Log in with your user name and password.

   A list shows which roles you are permitted to assume.

3. Log in to the Primary Administrator role and provide the role password.