A user or role can be assigned security attributes directly or through a rights profile. The order of search affects which security attribute value is used. The value of the first found instance of the attribute is used.
When a user logs in, rights are assigned in the following search order:
Rights that are assigned directly to the user with the useradd and usermod commands. For a list of possible rights assignments, see user_attr Database.
Rights profiles that are assigned to the user with the useradd and usermod commands. These assignments are searched in order.
First, the authenticated rights profiles are searched.
The order is the first profile in the authenticated profiles list and then its supplementary profiles, the second profile in the authenticated profiles list and then its supplementary profiles, and so on. The first instance of a value is the one that the system uses, except for auths values, which are cumulative. The attributes that can be assigned to rights profiles include all the rights that can be assigned to users, plus supplementary profiles. For the list, see user_attr Database.
Then, the rights profiles that do not require reauthentication are searched in the same fashion.
Console User rights profile value. For a description, see Rights Profiles Reference.
If the Stop rights profile is assigned, the evaluation of security attributes stops. No attributes are assigned after the Stop profile is assigned. The Stop profile is evaluated after the Console User rights profile and before the other security attributes in the policy.conf file, including AUTHS_GRANTED. For a description, see Rights Profiles Reference.
Basic Solaris User rights profile value in the policy.conf file.
AUTHS_GRANTED value in the policy.conf file.
AUTH_PROFS_GRANTED value in the policy.conf file.
PROFS_GRANTED value in the policy.conf file.
PRIV_DEFAULT value in the policy.conf file.
PRIV_LIMIT value in the policy.conf file.