System Administration Guide: Security Services

ProcedureHow to Assign Privileges to a User or Role

You might trust some users with a particular privilege all the time. Very specific privileges that affect a small part of the system are good candidates for assigning to a user. For a discussion of the implications of directly assigned privileges, see Security Considerations When Directly Assigning Security Attributes.

The following procedure enables user jdoe to use high resolution timers.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Add the privilege that affects high resolution times to the user's initial inheritable set of privileges.

    $ usermod -K defaultpriv=basic,proc_clock_highres jdoe
  3. Read the resulting user_attr entry.

    $ grep jdoe /etc/user_attr

Example 11–6 Creating a Role With Privileges to Configure System Time

In this example, a role is created whose only task is to handle time on the system.

$ /usr/sadm/bin/smrole -D nisplus:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
add -- -n clockmgr \
-c "Role that sets system time" \
-F "Clock Manager" \
-s /bin/pfksh \
-u 108 \
-P <Type clockmgr password> \
-K defaultpriv=basic,proc_priocntl,sys_cpu_config,

The -K line is wrapped for display purposes.

If the role was created locally, the user_attr entry for the role would appear similar to the following:

clockmgr:::Role that sets system time: