Commands for Administering Rights

Language:

This section lists commands that are used to administer rights. It also includes a table of commands whose access can be controlled by authorizations.

Commands That Manage Authorizations, Rights Profiles, and Roles

The commands listed in the following table retrieve and set rights on user processes.

Table 3 Rights Administration Commands

Command	Description
`account-policy`(8S)	SMF stencil for system security policy.
`auths`(1)	Displays authorizations for a user. Creates new authorizations.
`getent`(8)	Lists the contents of the rights databases.

`nscd`(8)	Name service cache daemon, useful for caching the rights databases. Use the `svcadm` command to restart the daemon.
`pam_roles`(7)	Role account management module for PAM. Checks for the authorization to assume a role.
`pam_unix_account`(7)	UNIX account management module for PAM. Checks for account restrictions, such as time restrictions and inactivity.
`pfbash`(1)	Used to create a profile shell process that can evaluate rights.
`pfedit`(8)	Used to edit administrative files.
`pfexec`(1)	Used to execute a command with security attributes.
`profiles`(1)	Displays rights profiles for a specified user. Creates or modifies a rights profile.
`roles`(1)	Displays roles that a specified user can assume.
`roleadd`(8)	Adds a role to a local system or to an LDAP network.
`roleadd`(8)	Adds a role to a local system or to an LDAP network.
`rolemod`(8)	Modifies a role's properties on a local system or on an LDAP network.
`userattr`(1)	Displays the value of a specific right that is assigned to a user or role account.
`useradm`(8)	Displays all the rights that are directly assigned to a user or role account. Requires installation of the `useradm` package.
`useradd`(8)	Adds a user account to the system or to an LDAP network. The `–R` option assigns a role to a user's account.
`userdel`(8)	Deletes a user's login from the system or from an LDAP network.
`usermod`(8)	Modifies a user's account properties on the system.

Selected Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on an Oracle Solaris system. For more discussion of authorizations, see Authorizations Reference.

Table 4 Commands and Associated Authorizations

Command	Authorization Requirements
`at`(1)	`solaris.jobs.user` required for all options (when neither `at.allow` nor `at.deny` files exist)
`atq`(1)	`solaris.jobs.admin` required for all options
`cdrw`(1)	`solaris.device.cdrw` required for all options, which is granted by default in the `policy.conf` file
`crontab`(1)	`solaris.jobs.user` required for the option to submit a job (when neither `crontab.allow` nor `crontab.deny` files exist) `solaris.jobs.admin` required for the options to list or modify other users' `crontab` files
`allocate`(8)	`solaris.device.allocate` (or other authorization as specified in `device_allocate` file) required to allocate a device `solaris.device.revoke` (or other authorization as specified in `device_allocate` file) required to allocate a device to another user (`–F` option)
`deallocate`(8)	`solaris.device.allocate` (or other authorization as specified in `device_allocate` file) required to deallocate another user's device `solaris.device.revoke` (or other authorization as specified in `device_allocate`) required to force deallocation of the specified device (`–F` option) or all devices (`–I` option)
`list_devices`(1)	`solaris.device.revoke` required to list another user's devices (`–U` option)
`roleadd`(8)	`solaris.user.manage` required to create a role. `solaris.account.activate` required to set the initial password. `solaris.account.setpolicy` required to set password policy, such as account locking and password aging.
`roledel`(8)	`solaris.passwd.assign` authorization required to delete the password.
`rolemod`(8)	`solaris.passwd.assign` authorization required to change the password. `solaris.account.setpolicy` required to change password policy, such as account locking and password aging.
`sendmail`(8)	`solaris.mail` required to access mail subsystem functions; `solaris.mail.mailq` required to view mail queue
`useradd`(8)	`solaris.user.manage` required to create a user. `solaris.account.activate` required to set the initial password. `solaris.account.setpolicy` required to set password policy, such as account locking and password aging.
`userdel`(8)	`solaris.passwd.assign` authorization required to delete the password.
`usermod`(8)	`solaris.passwd.assign` authorization required to change the password. `solaris.account.setpolicy` required to change password policy, such as account locking and password aging.