Chapter 9 Using Role-Based Access Control (Tasks)

This chapter covers tasks for distributing the capabilities of superuser by using discrete roles. The mechanisms that roles can use include rights profiles, authorizations, and privileges. The following is a list of the task maps in this chapter.

• Using RBAC (Task Map)

• Configuring RBAC (Task Map)

• Using Roles (Task Map)

• Managing RBAC (Task Map)

For an overview of RBAC, see Role-Based Access Control (Overview). For reference information, see Chapter 10, Role-Based Access Control (Reference). To use privileges with RBAC or without RBAC, see Chapter 11, Privileges (Tasks).

Using RBAC (Task Map)

To use RBAC requires planning, configuring RBAC, and knowing how to assume a role. Once roles become familiar, you might further customize RBAC to handle new operations. The following task map points to these major tasks.

Configuring RBAC (Task Map)

To use RBAC effectively requires planning. Use the following task map to plan and initially implement RBAC at your site.

Configuring RBAC

RBAC can be configured with the following utilities:

• Solaris Management Console GUI – The preferred method for performing RBAC-related tasks is through the GUI. The console tools for managing the RBAC elements are contained in the Users Tool collection.

• Solaris Management Console commands – With the Solaris Management Console command-line interfaces, such as smrole, you can operate on any name service. The Solaris Management Console commands require authentication to connect to the server. As a result, these commands are not practical for use in scripts.

• Local commands – With the user* and role* set of command-line interfaces, such as useradd, you can operate on local files only. The commands that operate on local files must be run by superuser or by a role with the appropriate privileges.

How to Plan Your RBAC Implementation

RBAC can be an integral part of how an organization manages its information resources. Planning requires a thorough knowledge of the RBAC capabilities as well as the security requirements of your organization.

1. Learn the basic RBAC concepts.

   Read Role-Based Access Control (Overview). Using RBAC to administer a system is very different from using conventional UNIX administrative practices. You should be familiar with the RBAC concepts before you start your implementation. For greater detail, see Chapter 10, Role-Based Access Control (Reference).

2. Examine your security policy.

   Your organization's security policy should detail the potential threats to your system, measure the risk of each threat, and have a strategy to counter these threats. Isolating the security-relevant tasks through RBAC can be a part of the strategy. Although you can install the recommended roles and their configurations as is, you might need to customize your RBAC configuration to adhere to your security policy.

3. Decide how much RBAC your organization needs.

   Depending on your security needs, you can use varying degrees of RBAC, as follows:

   • No RBAC – You can perform all tasks as root user. In this configuration, you log in as yourself. Then, you type root as the user when you select a Solaris Management Console tool.

   • Single Role Only – This method adds one role. The one role is assigned the Primary Administrator rights profile. This method is similar to the superuser model, in that the role has superuser capabilities. However, this method enables you to track the user who has assumed the role.

   • Recommended Roles – This method creates three roles that are based on the following rights profiles: Primary Administrator, System Administrator, and Operator. The roles are suitable for organizations with administrators at different levels of responsibility.

   • Custom Roles – You can create your own roles to meet the security requirements of your organization. The new roles can be based on existing or customized rights profiles. To customize rights profiles that enforce separation of duty, see Creating Roles and Users in Trusted Extensions in Solaris Trusted Extensions Administrator’s Procedures.

   • Root User as a Role – This method prevents any user from logging in as root. Instead, users must log in as ordinary users prior to assuming the root role. For details, see How to Make root User Into a Role.

4. Decide which recommended roles are appropriate for your organization.

   Review the capabilities of the recommended roles and default rights profiles. Default rights profiles enable administrators to configure a recommended role by using a single profile.

   Three default rights profiles are available for configuring the recommended roles:

   • Primary Administrator rights profile – For configuring a role that can perform all administrative tasks, can grant rights to others, and can edit rights that are associated with administrative roles. A user in this role can assign this role to other users, and can grant rights to other users.

   • System Administrator rights profile – For configuring a role that can perform most administrative tasks that are not related to security. For example, the System Administrator can add new user accounts, but cannot set passwords or grant rights to other users.

   • Operator rights profile – For configuring a role that can perform simple administrative tasks, such as media backup and printer maintenance.

   To further examine rights profiles, read one of the following:

   • In the /etc/security directory, read the contents of the prof_attr database and the exec_attr database.

   • In the Solaris Management Console, use the Rights tool to display the contents of a rights profile.

   • In this book, refer to Contents of Rights Profiles for summaries of some typical rights profiles.

5. Decide if any additional roles or rights profiles are appropriate for your organization.

   Look for other applications or families of applications at your site that might benefit from restricted access. Applications that affect security, that can cause denial-of-service problems, or that require special administrator training are good candidates for RBAC. You can customize roles and rights profiles to handle the security requirements of your organization.

   1. Determine which commands are needed for the new task.

   2. Decide which rights profile is appropriate for this task.

      Check if an existing rights profile can handle this task or if a separate rights profile needs to be created.

   3. Determine which role is appropriate for this rights profile.

      Decide if the rights profile for this task should be assigned to an existing role or if a new role should be created. If you use an existing role, check that the other rights profiles are appropriate for users who are assigned to this role.

6. Decide which users should be assigned to the available roles.

   According to the principle of least privilege, you should assign users to roles that are appropriate to their level of trust. When you prevent users from access to tasks that the users do not need to perform, you reduce potential problems.

How to Create and Assign a Role by Using the GUI

To create a new role, you can be superuser, or you can use the Primary Administrator role. In this procedure, the creator of the new role has assumed the role of Primary Administrator.

Before You Begin

• You have already created users who can assume a role at your site. If the users are not yet created, create them by following the instructions in How to Add a User With the Solaris Management Console’s Users Tool in System Administration Guide: Basic AdministrationUsing the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

• You have been assigned the Primary Administrator role by following the procedures in Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

1. Start the Solaris Management Console.

   # /usr/sbin/smc &

   For login instructions, see How to Assume a Role in the Solaris Management Console.

2. Click the Administrative Roles icon.

3. Select Add Administrative Role from the Action menu.

4. Create a new role by filling in the fields in the series of dialog boxes.

   For possible roles, see Example 9–1 to Example 9–4.

   ---

   Tip –

   All tools in the Solaris Management Console display information in the bottom section of the page or at the left side of a wizard panel. Choose Help at any time to find additional information about performing tasks in this interface.

   ---

5. Assign the role to a user.

   ---

   Tip –

   After filling in the properties of the role, the last dialog box prompts you for a user for the role.

   ---

6. In a terminal window, restart the name service cache daemon.

   # svcadm restart system/name-service-cache

   For more information, see the svcadm(1M) and nscd(1M) man pages.

Example 9–1 Creating a Role for the System Administrator Rights Profile

In this example, the new role can do system administration tasks that are not connected to security. The role is created by performing the preceding procedure with the following parameters:

• Role name: sysadmin

• Role full name: System Administrator

• Role description: Performs non-security admin tasks

• Rights profile: System Administrator

  This rights profile is at the top of the list of profiles that are included in the role.

Example 9–2 Creating a Role for the Operator Rights Profile

The Operator rights profile can manage printers and back up the system to offline media. You might want to assign the role to one user on each shift. To do so, you would select the role mailing list option in the Step 1: Enter a Role Name dialog box. The role is created by performing the preceding procedure with the following parameters:

• Role name: operadm

• Role full name: Operator

• Role description: Backup operator

• Rights profile: Operator

  This rights profile must be at the top of the list of profiles that are included in the role.

Example 9–3 Creating a Role for a Security-Related Rights Profile

By default, the only rights profile that contains security-related commands and rights is the Primary Administrator profile. If you want to create a role that is not as powerful as Primary Administrator, but can handle some security-related tasks, you must create the role.

In the following example, the role protects devices. The role is created by performing the preceding procedure with the following parameters:

• Role name: devicesec

• Role full name: Device Security

• Role description: Configures Devices

• Rights profile: Device Security

In the following example, the role secures systems and hosts on the network. The role is created by performing the preceding procedure with the following parameters:

• Role name: netsec

• Role full name: Network Security

• Role description: Handles IPsec, IKE, and SSH

• Rights profile: Network Security

Example 9–4 Creating a Role for a Rights Profile With Limited Scope

A number of rights profiles are of limited scope. In this example, the sole task of the role is to manage DHCP. The role is created by performing the preceding procedure with the following parameters:

• Role name: dhcpmgt

• Role full name: DHCP Management

• Role description: Manages Dynamic Host Config Protocol

• Rights profile: DHCP Management

Example 9–5 Modifying a User's Role Assignment

In this example, a role is added to an existing user. The user's role assignment is modified by clicking the User Accounts icon in the Users tool in the Solaris Management Console, double-clicking the user, and following the online help to add a role to the user's capabilities.

Troubleshooting

Check the following if the role does not have the capabilities that it should:

• Are the role's rights profiles listed in the GUI from most to least powerful?

  For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.

• Do the commands in the role's rights profiles have the appropriate security attributes?

  For example, when the policy is suser, some commands require uid=0 rather than euid=0.

• Is the rights profile defined in the appropriate name service scope? Is the role operating in the name service scope where the rights profile is defined?

• Has the name service cache, svc:/system/name-service-cache, been restarted?

  The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.

How to Create a Role From the Command Line

The Solaris Management Console GUI is the preferred method for managing RBAC. To use the GUI, see How to Create and Assign a Role by Using the GUI. You can also use the command-line interfaces, as described in this procedure.

Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. You can use both tools to administer RBAC, but you cannot use both concurrently.

Before You Begin

To create a role, you must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.

1. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Choose one of the following commands to create a role on the command line.

   • For roles in the local name service scope, use the roleadd command.

     ---

     Note –

     The roleadd command is more limited than the Solaris Management Console GUI or command-line interfaces. After running the roleadd command, you must run the usermod command to assign the role to a user. And, the user then must set the password for the role, as shown in How to Assign a Role to a Local User.

     ---

     # roleadd -c comment \ -g group -m homedir -u UID -s shell \ -P profile rolename

     -c comment

     Is a comment that describes rolename.

     -g group

     Is the group assignment for rolename.

     -m homedir

     Is the path to the home directory for rolename.

     -u UID

     Is the UID for rolename.

     -s shell

     Is the login shell for rolename. This shell must be a profile shell.

     -P profile

     Is one or more rights profiles for rolename.

     rolename

     Is the name of the new local role.

   • Use the smrole add command.

     This command creates a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.

     $ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ add -- -n rolename -a rolename -d directory\ -F full-description -p profile

     -D domain-name

     Is the name of the domain that you want to manage.

     -r admin-role

     Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

     -l

     Is the prompt for the password of admin-role.

     --

     Is the required separator between authentication options and subcommand options.

     -n rolename

     Is the name of the new role.

     -c comment

     Is the comment that describes the capabilities of the role.

     -a username

     Is the name of the user who can assume rolename.

     -d directory

     Is the home directory for rolename.

     -F full-description

     Is the full description for rolename. This description is displayed in the Solaris Management Console GUI.

     -p profile

     Is a rights profile that is included in the capabilities of rolename. This option gives commands with administrative capabilities to the role. You can specify multiple -p profile options.

3. To put the changes into effect, see How to Assign a Role to a Local User.

Example 9–6 Creating a Custom Operator Role by Using the smrole Command

The smrole command specifies a new role and its attributes in a name service. In the following example, the Primary Administrator creates a new version of the Operator role. The role includes the standard Operator rights profile as well as the Media Restore rights profile. Note that the command prompts you for a password for the new role.

% su - primaryadm
Password: <Type primaryadm password> 
$ /usr/sadm/bin/smrole add -H myHost -- -c "Backup and Restore Operator" \
-n operadm2 -a janedoe -d /export/home/operadm \
-F "Backup/Restore Operator" -p "Operator" -p "Media Restore"
Authenticating as user: primaryadm

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <Type primaryadm password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadm was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password ::<Type operadm2 password>

$ svcadm restart system/name-service-cache

The smrole command with the list subcommand is used to display the new role:

$ /usr/sadm/bin/smrole list --
Authenticating as user: primaryadm

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <Type  primaryadm password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadm was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.
root                    0             Superuser
primaryadm            100             Most powerful role
sysadmin              101             Performs non-security admin tasks
operadm               102             Backup Operator
operadm2              103             Backup/Restore Operator

How to Assign a Role to a Local User

This procedure assigns a local role to a local user, restarts the name cache daemon, and then shows how the user can assume the role.

To assign a role to a user in a distributed name service, see How to Create a Role From the Command Line and How to Change the Properties of a Role.

Before You Begin

You have added a local role, as described in How to Create a Role From the Command Line. You must have assumed the role of Primary Administrator or have switched to superuser.

1. Assign the role to a local user.

   If you added a local role with the roleadd command, this step is required. This step is optional when you use the smrole command and the Solaris Management Console to create a role.

   # usermod -u UID -R rolename login-name

   -u UID

   Is the UID of the user.

   -R rolename

   Is the role that is being assigned to the user.

   login-name

   Is the user's login name.

2. To put the changes into effect, restart the name service cache daemon.

   # svcadm restart system/name-service-cache

   If you added a role with a Solaris Management Console interface, go to Using Roles (Task Map). Otherwise, continue with the next step.

3. (Optional) To unlock the role account, the user must create a password.

   If you added a local role with the roleadd command, this step is required.

   % su - rolename Password: <Type rolename password> Confirm Password: <Retype rolename password> $

Example 9–7 Creating and Assigning a Local Role From the Command Line

In this example, a role is created to administer the Solaris Cryptographic Framework. The Crypto Management rights profile contains the cryptoadm command for administering hardware and software cryptographic services on a local system.

# roleadd -c "Cryptographic Services manager" \
-g 14 -m /export/home/cryptoadm -u 104 -s pfksh \
-P "Crypto Management" cryptomgt
# usermod -u 1111 -R cryptomgt
# svcadm restart system/name-service-cache
% su - cryptomgt
Password: <Type cryptomgt password>
Confirm Password: <Retype cryptomgt password>
$ /usr/ucb/whoami
cryptomgt
$

For information about the Solaris Cryptographic Framework, see Chapter 13, Solaris Cryptographic Framework (Overview). To administer the framework, see Administering the Cryptographic Framework (Task Map).

How to Audit Roles

The actions that a role performs can be audited. Included in the audit record is the login name of the user who assumed the role, the role name, and the action that the role performed. The 6180:AUE_prof_cmd:profile command:ua,as audit event collects the information. By preselecting the as class or the ua class, you can audit role actions.

1. Plan for auditing and edit the audit configuration files.

   For more information, see Solaris Auditing (Task Map).

2. Include the ua class or the as class in the flags line of the audit_control file.

   ## audit_control file flags:lo,as naflags:lo plugin:name=audit_binfile.so; p_dir=/var/audit

   The ua class and the as class include other audit events. To see the audit events that are included in a class, read the audit_event file. You can also use the auditrecord command, as shown in Example 30–24.

3. Finish configuring the auditing service, then enable auditing.

   For more information, see Configuring and Enabling the Audit Service (Tasks).

How to Make root User Into a Role

This procedure shows how to change root from a login user to a role. When you complete this procedure, you can no longer directly log in to the system as root, except in single-user mode. You must be assigned the root role and su to root.

By changing the root user into a role, you prevent anonymous root login. Because a user must log in and then assume the root role, the user's login ID is provided to the auditing service and is in the sulog file.

In this procedure, you create a local user and assign the root role to the user. To prevent users from assuming the role, see Example 9–8.

1. As a regular user, log in to the target system.

2. Assume the Primary Administrator role, or become superuser.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

3. Create a local user who can assume the root role.

   For safety, at least one local user should be assigned the root role.

   $ useradd -c comment -u uid -d homedir username

   -c comment

   Is the comment that describes the user.

   -d homedir

   Is the home directory of the user. This directory should be on the local system.

   -u uid

   Is the user identification number.

   username

   Is the name of the new local user.

   # useradd -c "JDoe's local account" -u 123 -d /export/home1 jdoe-local

4. Give the user a password.

   # passwd -r files jdoe-local New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jdoe-local #

5. Make sure that you are not logged in as root.

   # who jdoe console May 24 13:51 (:0) jdoe pts/5 May 24 13:51 (:0.0) jdoe pts/4 May 24 13:51 (:0.0) jdoe pts/10 May 24 13:51 (:0.0)

6. Change root user into a role.

   # usermod -K type=role root

7. Verify that root is a role.

   The root entry in the user_attr file should appear similar to the following:

   # grep root /etc/user_attr root::::type=role;auths=solaris.*,solaris.grant;profiles=...

8. Assign the root role to your local account.

   # usermod -R root jdoe-local

   ---

   Caution –

   If you do not assign the root role to a user, no one can become superuser, except in single-user mode. You must type a root password to enter single-user mode.

   ---

9. Configure the name service to return in case of failure.

   1. Open a new terminal window and assume the root role.

      % whoami jdoe % su - jdoe-local Enter password: <Type jdoe-local password> % roles root % su - root Enter password: <Type root password> #

   2. Edit the nsswitch.conf file.

      For example, the following entries in the nsswitch.conf file would enable the name service to return.

      passwd: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return] group: files nis [TRYAGAIN=0 UNAVAIL=return NOTFOUND=return]

10. (Optional) Assign the root role to selected user accounts in the name service.

    For the procedure, see How to Change the RBAC Properties of a User.

Example 9–8 Preventing the root Role From Being Used to Configure a System

In this example, site security policy requires that several discrete roles configure the system. These discrete roles have been created and tested. To prevent the root account from being used to configure the system, the security administrator changes root into a role, but does not assign the role. The root role retains a password to enter the system in single-user mode.

First, the administrator verifies that root is not an assigned role.

% whoami
jdoe-local
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
jdoe-local::::type=normal;roles=secadmin
kdoe-local::::type=normal;roles=sysadmin

Still in the root account, the administrator changes root into a role.

# usermod -K type=role root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr
root::::type=role;auths=solaris.*,solaris.grant;profiles=...

Example 9–9 Changing the root Role Back Into the root User

In this example, the administrator is decommissioning a system and wants to log in to the desktop as superuser. The system has been removed from the network.

First, the administrator assumes the root role to remove all root role assignments.

% whoami
jdoe-local
% su - root
Password: a!2@3#4$5%6^7
# grep roles /etc/user_attr
jdoe-local::::type=normal;roles=root
kdoe-local::::type=normal;roles=root
# usermod -R "" jdoe-local
# usermod -R "" kdoe-local
# grep roles /etc/user_attr
#

Still in the root role, the administrator changes root into a user.

# rolemod -K type=normal root

Then, the administrator verifies the change in the root entry in the user_attr file.

# grep root /etc/user_attr
root::::type=normal;auths=solaris.*,solaris.grant;profiles=...

Troubleshooting

In a desktop environment, you cannot directly log in as root when root is a role. A diagnostic message indicates that root is a role on your system. If you do not have a local account that can assume the root role, create one. As root, log in to the system in single-user mode, create a local user account, and assign the root role to the new account. Then, log in as the new user and assume the root role.

No one can become superuser if you change the root user into a role and fail to make one of the following assignments:

• Assign the root role to a valid user.

• Assign a rights profile that is equivalent to root's rights profile to a valid user. The Primary Administrator profile is an equivalent rights profile for root capabilities.

• Create a role that has the capabilities of root and assign the role to a valid user. A role that is assigned the Primary Administrator profile is equivalent to the root role.

Using Roles (Task Map)

The following task map points to procedures for using your role after roles have been assigned.

Using Roles

After you have set up roles with default Solaris rights profiles, and assigned the roles to users, the roles can be used. A role can be assumed on the command line. In the Solaris Management Console, a role can also be used for administering the system locally and over the network.

How to Assume a Role in a Terminal Window

Before You Begin

The role must already be assigned to you. The name service must be updated with that information.

1. In a terminal window, determine which roles you can assume.

   % roles Comma-separated list of role names is displayed

2. Use the su command to assume a role.

   % su - rolename Password: <Type rolename password> $

   The su - rolename command changes the shell to a profile shell for the role. A profile shell recognizes security attributes (authorizations, privileges, and set ID bits).

3. Verify that you are now in a role.

   $ /usr/ucb/whoami rolename

   You can now perform role tasks in this terminal window.

4. (Optional) View the capabilities of your role.

   For the procedure, see How to Determine the Privileged Commands That a Role Can Run.

Example 9–10 Assuming the Primary Administrator Role

In the following example, the user assumes the role of Primary Administrator. In the default configuration, this role is equivalent to superuser. The role then checks to see which privileges are available to any command that is typed in the profile shell for the role.

% roles
sysadmin,oper,primaryadm
% su - primaryadm
Password: <Type primaryadm password>
$ /usr/ucb/whoami Prompt has changed to role prompt
primaryadm
$ ppriv $$
1200:   pfksh
flags = <none>
        E (Effective): all
        I (Inheritable): basic
        P (Permitted): all
        L (Limit): all

For information about privileges, see Privileges (Overview).

Example 9–11 Assuming the root Role

In the following example, the user assumes the root role. The role was created in How to Make root User Into a Role

% roles
root
% su - root
Password: <Type root password>
# /usr/ucb/whoami Prompt has changed to role prompt
root
$ ppriv $$
1200:   pfksh
flags = <none>
        E: all
        I: basic
        P: all
        L: all

For information about privileges, see Privileges (Overview).

Example 9–12 Assuming the System Administrator Role

In the following example, the user assumes the role of System Administrator. In contrast to the Primary Administrator role, the System Administrator has the basic set of privileges in its effective set.

% roles
sysadmin,oper,primaryadm
% su - sysadmin
Password: <Type sysadmin password>
$ /usr/ucb/whoami Prompt has changed to role prompt
sysadmin
$ ppriv $$
1200:   pfksh
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all

For information about privileges, see Privileges (Overview). For a short description of the capabilities of the role, see System Administrator Rights Profile.

How to Assume a Role in the Solaris Management Console

To change information in the Solaris Management Console GUI requires administrative capabilities. A role gives you administrative capabilities. If you want to view information, you must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization.

Before You Begin

An administrative role that can change the properties of users or roles must have already been assigned to you. For example, the Primary Administrator role can change the properties of users or roles.

1. Start the Solaris Management Console.

   % /usr/sbin/smc &

   For detailed instructions, see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration.

2. Select the toolbox for your task.

   Navigate to the toolbox that contains the tool or collection in the appropriate name service scope and click the icon. The scopes are files (local), NIS, NIS+, and LDAP. If the appropriate toolbox is not displayed in the navigation pane, choose Open Toolbox from the Console menu and load the relevant toolbox.

3. Select the tool that you want to use.

   Navigate to the tool or collection and click the icon. The tools for managing the RBAC elements are in the Users tool, as shown in the following figure.

   

4. Type your user name and password in the Login: User Name dialog box.

5. Authenticate yourself in the Login: Role dialog box.

   The Role option menu in the dialog box displays the roles that are assigned to you. Choose a role and type the role password.

Managing RBAC (Task Map)

The following task map points to procedures for customizing role-based access control (RBAC) after RBAC has been initially implemented.

These procedures manage the elements that are used in RBAC. For user management procedures, refer to Chapter 5, Managing User Accounts and Groups (Tasks), in System Administration Guide: Basic Administration.

Managing RBAC

The Solaris Management Console GUI is the preferred method for managing RBAC.

Do not attempt to administer RBAC with the command line and the graphical user interface at the same time. Conflicting changes could be made to the configuration, and the behavior would be unpredictable. Both tools can administer RBAC, but you cannot use both tools concurrently.

How to Change the Password of a Role

Before You Begin

You must have assumed a role that includes the User Security profile or have switched to superuser. You cannot be in the role whose password you want to change. A role cannot change its own password.

1. Use one of the following methods to change a role's password.

   • As superuser or in a role that includes the User Security rights profile, run the passwd command.

     $ passwd -r naming-service target-rolename

     -r naming-service

     Applies the password change to one of the following repositories files, nis, nisplus, or ldap. If a repository is not specified, the password is changed in files.

     target-rolename

     Is the name of an existing role that you want to modify.

     For more command options, see the passwd(1) man page.

   • Change the password in the Solaris Management Console.

     To start the console, see How to Assume a Role in the Solaris Management Console.

     1. Log in to the console as superuser or in a role that includes the User Security rights profile.

        The login role cannot be the target role.

     2. Choose the appropriate scope.

        The Files scope modifies the role password on the local system. The LDAP scope modifies the role password in the LDAP naming service.

     3. Navigate to Administrative Roles and follow the instructions in the left-hand pane.

        For more extensive information, see the online help.

   • As superuser or in a role that includes the User Security rights profile, run the smrole command with the modify subcommand.

     This command runs as a client of the Solaris Management Console server.

     $ /usr/sadm/bin/smrole -D domain-name -r admin-role -l <Type admin-role password> \ modify -- -n target-rolename -P password

     -D domain-name

     Is the name of the domain that you want to manage.

     -r admin-role

     Is the name of the administrative role that can modify the target role. The administrative role must have the solaris.admin.usermgr.pswd authorization. The administrative role and the target role cannot be the same role.

     -l

     Is the prompt for the password of admin-role.

     --

     Is the required separator between authentication options and subcommand options.

     -n target-rolename

     Is the name of the target role.

     -P password

     Is the new password for target-rolename.

     For the full list of command options, see the smrole(1M) man page.

Example 9–13 Changing a Local Role's Password With the passwd Command

In this example, superuser changes the password of the local operadm role.

# passwd -r files  operadm
New password: Type new password
Re-enter new password: Retype new password

Example 9–14 Changing a Role's Password in an LDAP Repository

In this example, the Primary Admin role changes the password of the operadm role in the LDAP directory service.

$ passwd -r ldap operadm
New password: Type new password
Re-enter new password: Retype new password

Example 9–15 Changing a Role's Password With the smrole modify Command

In this example, the administrator contacts the Solaris Management Console server to change the operadm password in the NIS domain. When the administrator does not provide the password before pressing the Return key, the New Password: prompt appears.

$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n operadm -P Press the Return key
New Password: a!2@3#4$5%6*7
$

How to Change the Properties of a Role

Before You Begin

You must have assumed the role of Primary Administrator or have switched to superuser to change the properties of a role. Role properties include password, rights profiles, and authorizations.

To change a role's password property, see How to Change the Password of a Role.

1. Use one of the following methods to change the properties of a role.

   • Use the Users tool in the Solaris Management Console.

     To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a role in Administrative Roles. For more extensive information, see the online help.

   • Use the rolemod command.

     This command modifies the attributes of a role that is defined in the local name service.

     $ rolemod -c comment -P profile-list rolename

     -c comment

     Is the new comment that describes the capabilities of the role.

     -P profile-list

     Is the list of the profiles that are included in the role. This list replaces the current list of profiles.

     rolename

     Is the name of an existing, local role that you want to modify.

     For more command options, see the rolemod(1M) man page.

   • Use the smrole command with the modify subcommand.

     This command modifies the attributes of a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.

     $ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n rolename -r username -u username

     -D domain-name

     Is the name of the domain that you want to manage.

     -r admin-role

     Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

     -l

     Is the prompt for the password of admin-role.

     --

     Is the required separator between authentication options and subcommand options.

     -n rolename

     Is the name of the new role.

     -r username

     Is the name of the user who can no longer assume rolename.

     -u username

     Is the name of the user who can now assume rolename.

     For more command options, see the smrole(1M) man page.

Example 9–16 Changing a Local Role's Properties With the rolemod Command

In this example, the operadm role is modified to include the Media Restore rights profile.

$ rolemod -c "Handles printers, backup, AND restore" \
-P "Printer Management,Media Backup,Media Restore,All" operadm

Example 9–17 Changing a Local Role's Properties With the smrole modify Command

In the following example, the operadm role is modified to add the Media Restore rights profile.

$ /usr/sadm/bin/smrole -r primaryadm -l <Type primaryadm password> \
modify -- -n operadm -c "Handles printers, backup, AND restore" \
-p "Media Restore"

Example 9–18 Changing a Role in a Domain With the smrole modify Command

In the following example, the clockmgr role is changed. The NIS user whose ID is 108 can no longer assume the role. The NIS user whose ID is 110 can assume the role clockmgr.

$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n clockmgr -r 108 -u 110

How to Create or Change a Rights Profile

A rights profile is a property of a role. You should create or change a rights profile when the prof_attr database does not contain a rights profile that fulfills your needs. To learn more about rights profiles, see RBAC Rights Profiles.

Before You Begin

To create or change a rights profile, you must have assumed the role of Primary Administrator or have switched to superuser.

1. Use one of the following methods to create or change a rights profile.

   • Use the Users tool in the Solaris Management Console.

     To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to create or change a rights profile in Rights. For more extensive information, see the online help.

   • Use the smprofile command.

     This command enables you to add, modify, list, or delete a rights profile. The command works on files, and in a distributed name service, such as NIS, NIS+, or LDAP. The smprofile command runs as a client of the Solaris Management Console server.

     $ /usr/sadm/bin/smprofile -D domain-name \ -r admin-role -l <Type admin-role password> \ add | modify -- -n profile-name \ -d description -m help-file -p supplementary-profile

     -D domain-name

     Is the name of the domain that you want to manage.

     -r admin-role

     Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

     -l

     Is the prompt for the password of admin-role.

     --

     Is the required separator between authentication options and subcommand options.

     -n profile-name

     Is the name of the new profile.

     -d description

     Is a short description of the profile.

     -m help-file

     Is the name of the HTML help file that you have created and placed in the /usr/lib/help/profiles/locale/C directory.

     -p supplementary-profile

     Is the name of an existing rights profile that is included in this rights profile. You can specify multiple -p supplementary-profile options.

     For more command options, see the smprofile(1M) man page.

Example 9–19 Modifying a Rights Profile From the Command Line

In the following example, the Network Management rights profile is made a supplementary profile of the Network Security rights profile. The role that contains the Network Security profile can now configure the network and hosts, as well has run security-relevant commands.

$ /usr/sadm/bin/smprofile -D nisplus:/example.host/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n "Network Security" \
-d "Manage network and host configuration and security" \
-m RtNetConfSec.html -p "Network Management"

The administrator created a new help file, RtNetConfSec.html, and placed it in the /usr/lib/help/profiles/locale/C directory, before running this command.

Example 9–20 Modifying an Existing Rights Profile

In the following example, the security administrator of MyCompany customizes the Console User rights profile. Another goal is to retain the customized rights profile when the Solaris OS is updated to a later version.

First, the administrator closes the Solaris Management Console.

Then, the administrator opens the prof_attr file, copies the Console User rights profile to the next line, and renames the second entry. The administrator uses the existing help file, RtConsUser.html.

# vi /etc/security/prof_attr
Console User:::Manage System as the Console User:help=RtConsUser.html
MyCompany Console User:::Manage System as the Console User:help=RtConsUser.html

The administrator assumes the secadmin role. The secadmin role can modify the security features of a system. The secadmin role opens the Solaris Management Console, clicks the System Configuration and the Users tool, types the role password, and double-clicks the Rights tool.

The administrator double-clicks the MyCompany Console User rights profile. Under the Authorizations tab, the administrator adds two authorizations to the Authorizations Included list and saves the changes. When the system is patched or updated to a later version of the Solaris OS, the Console User rights profile is updated and the MyCompany Console User rights profile is not changed.

Example 9–21 Creating a New Rights Profile With the Rights Tool

The following table shows sample data for a hypothetical rights profile that is called “Build Administrator”. This rights profile includes the commands in the subdirectory /usr/local/swctrl/bin. These commands have an effective UID of 0. The Build Administrator rights profile would be useful for administrators who manage the builds and versioning for software development.

Troubleshooting

Check the following if the rights profile does not provide the role with the capabilities that you expect:

• Are the rights profiles for the role listed in the GUI from most to least powerful?

  For example, if the All rights profile is at the top of the list, then no commands are run with security attributes. A profile that contains commands with security attributes must precede the All rights profile in the list.

• Is a command listed more than once in the role's rights profiles? If so, does the first instance of the command have all the security attributes that are required?

  For example, a command can require privileges for particular options to the command. For the options that require privileges to succeed, the first instance of the command in the highest rights profile in the list must have the assigned privileges.

• Do the commands in the role's rights profiles have the appropriate security attributes?

  For example, when the policy is suser, some commands require uid=0 rather than euid=0 to succeed.

• Has the name service cache, svc:/system/name-service-cache, been restarted?

  The nscd daemon can have a lengthy time-to-live interval. By restarting the daemon, you update the name service with current data.

How to Change the RBAC Properties of a User

User properties include password, rights profiles, and authorizations. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes.

Before You Begin

You must have assumed the role of Primary Administrator or have switched to superuser to change the properties of a user.

1. Use one of the following methods to change the RBAC properties of a user.

   • Use the Users tool in the Solaris Management Console.

     To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a user in User Accounts. For more extensive information, see the online help.

     ---

     Tip –

     It is not good practice to assign authorizations, privileges, or rights profiles directly to users. The preferred approach is to assign a role to users. Users then assume a role to perform privileged operations.

     ---

   • Use the usermod command.

     This command modifies the attributes of a user that is defined in the local name service.

     $ usermod -R rolename username

     -R rolename

     Is the name of an existing local role.

     username

     Is the name of an existing, local user that you want to modify.

     For more command options, see the usermod(1M) man page.

   • Use the smuser command with the modify subcommand.

     This command modifies the attributes of a user in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.

     $ /usr/sadm/bin/smuser -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n username -a rolename

     -D domain-name

     Is the name of the domain that you want to manage.

     -r admin-role

     Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

     -l

     Is the prompt for the password of admin-role.

     --

     Is the required separator between authentication options and subcommand options.

     -n username

     Is the name of the user who is being assigned rolename.

     -a rolename

     Is the name of the role that you are assigning to username. You can specify multiple -a rolenameoptions.

     For more command options, see the smuser(1M) man page.

Example 9–22 Modifying a Local User's RBAC Properties From the Command Line

In this example, the user jdoe can now assume the role of System Administrator.

$ usermod -R sysadmin jdoe

Example 9–23 Modifying a User's RBAC Properties With the smuser Command

In this example, the user jdoe is assigned two roles, System Administrator and Operator. Because the user and the roles are defined locally, the -D option is not necessary.

$ /usr/sadm/bin/smuser -r primaryadm -l <Type primaryadm password> \
modify -- -n jdoe -a sysadmin -a operadm

In the following example, the user is defined in the NIS name service. Therefore, the -D option is required. Two roles are defined in the name service. One role, root, is defined locally.

$ /usr/sadm/bin/smuser -D nis:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n jdoe -a sysadmin -a operadm -a root

How to Add RBAC Properties to Legacy Applications

A legacy application is a command or set of commands. The security attributes are set for each command in a rights profile. The rights profile is then included in a role. A user who assumes the role can run the legacy application with the security attributes.

To add legacy applications to the Solaris Management Console, see Adding Tools to the Solaris Management Console in System Administration Guide: Basic Administration.

Before You Begin

You must have assumed the role of Primary Administrator or have switched to superuser to change the security attributes of a command in a rights profile.

1. Use the Users tool in the Solaris Management Console.

   To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a rights profile in Rights. For more extensive information, see the online help.

2. Add security attributes to the commands that implement the legacy application.

   You add security attributes to a legacy application in the same way that you would for any command. You must add the command with security attributes to a rights profile. For a legacy command, give the command euid=0 or uid=0 security attributes. For details of the procedure, see How to Create or Change a Rights Profile.

3. After adding the legacy application to a rights profile, include the rights profile in a role's list of profiles.

   To add a rights profile to a role, see How to Change the Properties of a Role.

Example 9–24 Adding Security Attributes to Commands in a Script

If a command in a script needs to have the setuid bit or setgid bit set to succeed, the script executable and the command must have the security attributes added in a rights profile. Then, the rights profile is included in a role, and the role is assigned to a user. When the user assumes the role and executes the script, the command runs with the security attributes.

To add security attributes to a command or shell script, see How to Create or Change a Rights Profile.

Example 9–25 Checking for Authorizations in a Script or Program

To have a script for authorizations, you need to add a test that is based on the auths command. For detailed information about this command, see the auths(1) man page.

For example, the following line tests if the user has the authorization that is supplied as the $1 argument:

if [ `/usr/bin/auths|/usr/xpg4/bin/grep $1` ]; then
        echo Auth granted
else
        echo Auth denied
fi

To be more complete, the test should include logic that checks for other authorizations that use wildcards. For example, to test if the user has the solaris.admin.usermgr.write authorization, you would need to check for the following strings:

• solaris.admin.usermgr.write

• solaris.admin.usermgr.*

• solaris.admin.*

• solaris.*

If you are writing a program, use the function getauthattr() to test for the authorization.