This section assumes that you have completed New Feature – Enabling the account-policy Service.
The following command displays the RBAC policy variables as SMF properties:
$ svcprop -p rbac account-policy rbac/console_user_profiles astring Console\ User rbac/default_auth_profiles astring rbac/default_authorizations astring rbac/default_limit_privileges astring rbac/default_privileges astring rbac/default_profiles astring Basic\ Solaris\ UserExample 35 Adding a Rights Profile to Every Login
In this example, the administrator adds the Site Console User rights profile and removes access to the Console User rights profile by users of the system. This example assumes the administrator has completed New Feature – Enabling the account-policy Service.
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean svc:/.../account-policy> setprop rbac/console_user_profiles astring = "" svc:/.../account-policy> setprop rbac/default_profiles astring = "Site Console User, Basic Solaris User" svc:/.../account-policy> exit $ svcadm refresh account-policy
How to Remove Power Management Capability From Users shows the contents of the Site Console User rights profile,
This section assumes that you have completed New Feature – Enabling the account-policy Service.
Under particular circumstances, you can remove privileges from a system. For example, you might prevent remote users from examining the status of processes that they do not own, Public systems might benefit from reduced privileges.
The following commands modify a public system to prevent file linking and viewing any processes outside of the user's session:
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean svc:/.../account-policy> setprop rbac/default_privileges = "basic,!file_link_any" svc:/.../account-policy> exit $ svcadm refresh account-policy
This section assumes that you have completed New Feature – Enabling the account-policy Service.
Rights profiles can specify the rights for a large number of users. They are easily maintained and can be applied to a system.
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean svc:/.../account-policy> setprop rbac/default_profiles = "Example Rights Profile" svc:/.../account-policy> exit $ svcadm refresh account-policyExample 36 Assigning the Editor Restrictions Rights Profile to All Logins
This example shows how to require all users of an editor on a system to authenticate before editing.
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean svc:/.../account-policy> setprop rbac/default_profiles = "Editor Restrictions" svc:/.../account-policy> exit $ svcadm refresh account-policy
The "Editor Restrictions" profile was created in Example 26, Preventing Guests From Spawning Editor Subprocesses.
Example 37 Enabling Only the Console User to Log InIn this example, the administrator creates a system that is useful only to administer the network. The administrator removes the Basic Solaris User rights profile and any authorizations from the system. The Console User rights profile is not removed.
$ pfbash svccfg -s account-policy svc:/.../account-policy> setprop config/etc_security_policyconf/disabled = boolean svc:/.../account-policy> setprop rbac/default_authorizations = "" svc:/.../account-policy> setprop rbac/default_profiles = "" svc:/.../account-policy> exit $ svcadm refresh account-policy
Only a user who has been explicitly assigned authorizations, commands, or rights profiles is able to use this system. After login, the authorized user can perform administrative duties. If the authorized user is sitting at the system console, the user has the rights of the Console User.