Creating Authorizations and Profiles and Assigning Roles to User Accounts

You can manage authorizations and profiles and assign roles to user accounts by using the role-based access control (RBAC) feature of the Oracle Solaris OS. For more information about RBAC, see System Administration Guide: Security Services.

Users, authorizations, profiles, and roles can be configured in the following ways:

Locally on the system by using files
Centrally in a naming service, such as LDAP

Installing the Logical Domains Manager adds the necessary authorizations and profiles to the local files. To configure users, authorizations, profiles, and roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Authorization for the Logical Domains Manager has two levels:

Read – Allows you to view but not modify the configuration
Read and write – Allows you to view and change the configuration

Following are the Logical Domains entries that are automatically added to the local Oracle Solaris OS /etc/security/auth_attr file:

solaris.ldoms.:::LDom administration::
solaris.ldoms.grant:::Delegate LDom configuration::
solaris.ldoms.read:::View LDom configuration::
solaris.ldoms.write:::Manage LDom configuration::
solaris.smf.manage.ldoms:::Manage Start/Stop LDoms::

Managing User Authorizations

The following procedures show how to manage user authorizations on the system by using local files. To manage user authorizations in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Assign an Authorization to a User

Use this procedure to assign authorizations to Logical Domains Manager users. This authorization assignment information is stored in the local /etc/security/auth_attr file.

Note - Superuser already has the solaris.* authorization, which includes the solaris.ldoms.* authorizations.

Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Assign the read or the read and write authorization to a user.
- Assign the read authorization to a user.
```
# usermod -A solaris.ldoms.read username
```
- Assign the read and write authorization to a user.
```
# usermod -A solaris.ldoms.write username
```
Note - Ensure that you include any existing authorizations for the user in the usermod -A command. The authorizations that you specify with this command replace any authorizations that have already been assigned to the user. See the usermod(1M) man page.

For the list of user authorizations that are required by the ldm subcommands, see Table 3-1.

Delete All Authorizations Assigned to a User

Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Delete all authorizations that are assigned to a local user.
```
# usermod -A "" username
```

Managing User Profiles

The following procedures show how to manage user profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

The SUNWldm package adds two system-defined RBAC profiles to the local /etc/security/prof_attr file. The following profiles are used to authorize access to the Logical Domains Manager by unprivileged users:

LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*

The SUNWldm package also defines the following execution attribute that is associated with the LDoms Management profile:

LDoms Management:suser:cmd:::/usr/sbin/ldm:privs=file_dac_read,file_dac_search

Assign a Profile to a User

Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services.

Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Assign an administrative profile to a local user account.
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
```
# usermod -P "profile-name" username
```
The following command assigns the LDoms Management profile to user sam:
```
# usermod -P "LDoms Management" sam
```

Delete All Profiles Assigned to a User

Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Delete all profiles that are assigned to a local user.
```
# usermod -P "" username
```

Assigning Roles to Users

The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role, yet has the password, from assuming that role.

Create a Role and Assign the Role to a User

Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Create a role.
```
# roleadd -P "profile-name" role-name
```
Assign a password to the role.
You will be prompted to specify and then verify a new password.
```
# passwd role-name
```
Assign the role to a user.
```
# useradd -R role-name username
```
Assign a password to the user.
You will be prompted to specify and then verify a new password.
```
# passwd username
```
Become the user and provide the password, if necessary.
```
# su username
```

Verify that the user has access to the assigned role.

$ id
uid=nn(username) gid=nn(group-name)
$ roles
role-name

Assume the role and provide the password, if necessary.
```
$ su role-name
```

Verify that the user has assumed the role.

$ id
uid=nn(role-name) gid=nn(group-name)

Example 3-1 Creating a Role and Assigning the Role to a User

This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.

# roleadd -P "LDoms Review" ldm_read
# passwd ldm_read
New Password: ldm_read-password
Re-enter new Password: ldm_read-password
passwd: password successfully changed for ldm_read
# useradd -R ldm_read user_1
# passwd user_1
New Password: user_1-password
Re-enter new Password: user_1-password
passwd: password successfully changed for user_1
# su user_1
Password: user_1-password
$ id
uid=95555(user_1) gid=10(staff)
$ roles
ldm_read
$ su ldm_read
Password: ldm_read-password
$ id
uid=99667(ldm_read) gid=14(sysadmin)

Skip Navigation Links
Exit Print View
	Oracle VM Server for SPARC 2.1 Administration Guide Oracle VM Server for SPARC