Each RBAC database uses a key=value syntax for storing attributes. This method accommodates future expansion of the databases. The method also enables a system to continue to operate if the system encounters a keyword that is unknown to its policy. The key=value contents link the files. The following linked entries from the four databases illustrate how the RBAC databases work together.
In the following example, the user jdoe gets the capabilities of the File System Management profile through being assigned the role filemgr.
The user jdoe is assigned the role filemgr in the jdoe user entry in the user_attr database.
# user_attr - user definition jdoe::::type=normal;roles=filemgr |
The role filemgr is assigned the rights profile File System Management in the role's entry in the user_attr database.
# user_attr - role definition filemgr::::profiles=File System Management;type=role |
The user and the role are uniquely defined in the passwd and shadow files on the local system, or in equivalent databases in a distributed name service.
The File System Management rights profile is defined in the prof_attr database. This database also assigns three sets of authorizations to the File System Management entry.
# prof_attr - rights profile definitions and assigned authorizations File System Management:::Manage, mount, share file systems: help=RtFileSysMngmnt.html; auths=solaris.admin.fsmgr.*,solaris.admin.diskmgr.*,solaris.admin.volmgr.* |
The authorizations are defined in the auth_attr database.
# auth_attr - authorization definitions solaris.admin.fsmgr.:::Mounts and Shares::help=AuthFsmgrHeader.html solaris.admin.fsmgr.read:::View Mounts and Shares::help=AuthFsmgrRead.html solaris.admin.fsmgr.write:::Mount and Share Files::help=AuthFsmgrWrite.html |
The File System Management rights profile is assigned commands with security attributes in the exec_attr database.
# exec_attr - rights profile names with secured commands File System Management:suser:cmd:::/usr/sbin/mount:uid=0 File System Management:suser:cmd:::/usr/sbin/dfshares:euid=0 … File System Management:solaris:cmd:::/usr/sbin/mount:privs=sys_mount … |