After the initial user is logged in, the kernel, file systems, system files, and desktop applications are protected by file permissions, privileges, and user rights. User rights are also known as role-based access control (RBAC).
Kernel protections – Many daemons and administrative commands are assigned just the privileges that enable them to succeed. Many daemons are run from special administrative accounts that do not have root (UID=0) privileges, so they cannot be hijacked to perform other tasks. These special administrative accounts cannot log in. Devices are protected by privileges.
File systems – By default, all file systems are ZFS file systems. The user's umask is 022, so when a user creates a new file or directory, only the user is allowed to modify it. Members of the user's group are allowed to read and search the directory, and read the file. Logins that are outside the user's group can list the directory and read the file. The default directory permissions are drwxr-xr-x (755). The file permissions are -rw-r--r-- (644).
System files – System configuration files are protected by file permissions. Only the root role or a user who is assigned the right to edit a specific system file can modify a system file.
Desktop applets – Desktop applets are protected by rights management. Therefore, administrative actions, such as the addition of remote printers in Print Manager, are restricted to users and roles who have administrative rights for printing.