Before You Begin
You are in the root role in the global zone.
For information about the command, see the roleadd(1M) man page.
Use the following information as a guide:
Role name – secadmin
-c Local Security Officer
Do not provide proprietary information.
–m home-directory
–u role-UID
–S repository
–K key=value
Assign the Information Security and User Security rights profiles.
# roleadd -c "Local Security Officer" -m \ -u 110 -K profiles="Information Security,User Security" -S files \ -K lock_after_retries=no -K audit_flags=cusa:no secadmin
# passwd -r files secadmin New Password: xxxxxxxx Re-enter new Password: xxxxxxxx passwd: password successfully changed for secadmin #
Assign a password of at least six alphanumeric characters. The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
Possible roles include the following:
admin Role – System Administrator rights profile
oper Role – Operator rights profile
After configuring the first system with a local Security Administrator role, the administrator creates the Security Administrator role in the LDAP repository. In this scenario, LDAP clients can be administered by the Security Administrator role that is defined in LDAP.
# roleadd -c "Site Security Officer" -d server1:/rpool/pool1/BayArea/secadmin -u 111 -K profiles="Information Security,User Security" -S ldap \ -K lock_after_retries=no -K audit_flags=cusa:no secadmin
The administrator provides an initial password for the role.
# passwd -r ldap secadmin New Password: xxxxxxxx Re-enter new Password: xxxxxxxx passwd: password successfully changed for secadmin #
Next Steps
To assign the local role to a local user, see How to Create Users Who Can Assume Roles in Trusted Extensions.