System Administration Guide: Security Services

ProcedureHow to Change the RBAC Properties of a User

User properties include password, rights profiles, and authorizations. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes.

Before You Begin

You must have assumed the role of Primary Administrator or have switched to superuser to change the properties of a user.

  1. Use one of the following methods to change the RBAC properties of a user.

    • Use the Users tool in the Solaris Management Console.

      To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a user in User Accounts. For more extensive information, see the online help.


      Tip –

      It is not good practice to assign authorizations, privileges, or rights profiles directly to users. The preferred approach is to assign a role to users. Users then assume a role to perform privileged operations.


    • Use the usermod command.

      This command modifies the attributes of a user that is defined in the local name service.


      $ usermod -R rolename username
      
      -R rolename

      Is the name of an existing local role.

      username

      Is the name of an existing, local user that you want to modify.

      For more command options, see the usermod(1M) man page.

    • Use the smuser command with the modify subcommand.

      This command modifies the attributes of a user in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.


      $ /usr/sadm/bin/smuser -D domain-name \ 
      -r admin-role -l <Type admin-role password> \
      modify -- -n username -a rolename
      
      -D domain-name

      Is the name of the domain that you want to manage.

      -r admin-role

      Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

      -l

      Is the prompt for the password of admin-role.

      --

      Is the required separator between authentication options and subcommand options.

      -n username

      Is the name of the user who is being assigned rolename.

      -a rolename

      Is the name of the role that you are assigning to username. You can specify multiple -a rolenameoptions.

      For more command options, see the smuser(1M) man page.


Example 9–22 Modifying a Local User's RBAC Properties From the Command Line

In this example, the user jdoe can now assume the role of System Administrator.


$ usermod -R sysadmin jdoe


Example 9–23 Modifying a User's RBAC Properties With the smuser Command

In this example, the user jdoe is assigned two roles, System Administrator and Operator. Because the user and the roles are defined locally, the -D option is not necessary.


$ /usr/sadm/bin/smuser -r primaryadm -l <Type primaryadm password> \
modify -- -n jdoe -a sysadmin -a operadm

In the following example, the user is defined in the NIS name service. Therefore, the -D option is required. Two roles are defined in the name service. One role, root, is defined locally.


$ /usr/sadm/bin/smuser -D nis:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n jdoe -a sysadmin -a operadm -a root