|Skip Navigation Links|
|Exit Print View|
|Getting Started With Oracle Solaris 11 Express Oracle Solaris 11 Express 11/10|
The assignment of user accounts, roles, and rights profiles in Oracle Solaris conforms to Role-Based Access Control (RBAC) specifications. RBAC provides a more secure alternative to the all-or-nothing superuser model.
RBAC implements the security principle of least privilege. Least privilege means that a user has only those capabilities that are necessary to perform a specific job. Capabilities that are beyond regular user capabilities are grouped together into rights profiles. These profiles are assigned to special user accounts, called roles. A user assumes a role to perform a job that requires some of superuser's capabilities.
In the default Oracle Solaris system configuration, the user account that is created during installation is assigned the root role if you used the text installation method. If you did not create a user account during the installation, root is set up as an account. See How User Accounts Are Set Up.
To better understand the purpose and function of user accounts, roles, and rights profiles, review the following information:
A user account is a login account. Regular users can log in and use the system, but cannot administer the system.
A role is not a login account. For example, you cannot directly log in to the root role. Instead, you log in as your user name, then use the su - root command to assume the root role. A user can only assume roles that are assigned to the user's login account.
A rights profile is a collection of administrative capabilities that is typically assigned to a role, but can be assigned to a user. The names of rights profiles indicate the capabilities of the profiles, such as System Administrator or Printer Management. Typically, the system administrator creates a role with the same name as the rights profile and assigns the profile to that role. Also, rights profiles are hierarchical, that is, one rights profile can include other rights profiles. When a role is assigned a rights profile that includes other profiles, that role has the capabilities of all of those profiles.
Oracle Solaris provides predefined rights profiles. These profiles, listed in the /etc/security/prof_attr, can be assigned by the root role to any account. The root role is assigned all privileges and all authorizations, so can perform all tasks, just as root can when root is a user.
To perform administrative functions, you open a terminal and switch the user to root. In that terminal, you can then perform all administrative functions.
$ su - root Password: Type root password #
When you exit the shell, root capabilities are no longer in effect.