Skip this procedure if separation of duty is not a site security requirement. If your site requires separation of duty, you must create these rights profiles and roles before you populate the LDAP server.
This procedure creates rights profiles that have discrete capabilities to manage users. When you assign these profiles to distinct roles, two roles are required to create and configure users. One role can create users, but cannot assign security attributes. The other role can assign security attributes, but cannot create users. When you log in to the Solaris Management Console in a role that is assigned one of these profiles, only the appropriate tabs and fields are available to the role.
You must be superuser, in the root role, or in the Primary Administrator role. When you start this procedure, the Solaris Management Console must be closed.
Create copies of the default rights profiles that affect user configuration.
Copy the prof_attr file to the prof_attr.orig file.
Open the prof_attr file in the trusted editor.
# /usr/dt/bin/trusted_edit /etc/security/prof_attr |
Copy the three rights profiles and rename the copies.
System Administrator:::Can perform most non-security... Custom System Administrator:::Can perform most non-security... User Security:::Manage passwords... Custom User Security:::Manage passwords... User Management:::Manage users, groups, home... Custom User Management:::Manage users, groups, home... |
Save the changes.
Verify the changes.
# grep ^Custom /etc/security/prof_attr Custom System Administrator:::Can perform most non-security... Custom User Management:::Manage users, groups, home... Custom User Security:::Manage passwords... |
Copying a rights profile rather than modifying it enables you to upgrade the system to a later Solaris release and retain your changes. Because these rights profiles are complex, modifying a copy of the default profile is less prone to error than building the more restrictive profile from scratch.
Start the Solaris Management Console.
# /usr/sbin/smc & |
Select the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.
Click System Configuration, then click Users.
You are prompted for your password.
Type the appropriate password.
Double-click Rights.
Modify the Custom User Security rights profile.
You restrict this profile from creating a user.
Modify the Custom User Management profile.
You restrict this profile from setting a password.
Modify the Custom System Administrator rights profile.
The User Management profile is a supplementary profile in this profile. You prevent the system administrator from setting a password.
To prevent the default profiles from being used, see Step 7 in Verify That the Trusted Extensions Roles Work after you verify that the custom profiles enforce separation of duty.