Trusted Solaris Roles Replace Solaris Users

The Trusted Solaris environment does not have a superuser. Superuser tasks are divided among administrative roles. Trusted Solaris administrative roles run with a special shell, the profile shell (pfsh(1M). Roles do not directly log in; they are "assumed" by a user who is assigned the role by the security administrator. A role can only log in remotely from the same role on another Trusted Solaris workstation. For more information on roles, see "Assuming a Role and Working in a Role Workspace" in Trusted Solaris Administrator's Procedures.

SSP User Versus SSP Role

The ssp user on Solaris SSP 3.1.1 has been replaced by the ssp role on Trusted Solaris SSP 3.1.1. Any commands that the ssp user runs in the Solaris environment are run by the ssp role in the Trusted Solaris environment. The ssp role runs with the profile shell (pfsh), and should not be changed to run with other shells.

The home directory (/export/home/ssp) for the ssp role is created at installation as a multilevel directory (MLD). The ssp role runs at label admin_low, and its files are stored in an SLD (single-label directory) at the label admin_low. See Trusted Solaris Administration Overview for an explanation of the Trusted Solaris environment and concepts.

Superuser (root) Versus root Role

The Solaris superuser (root) has been replaced by the Trusted Solaris root role. For the Trusted Solaris SSP 3.1.1 and the Trusted Solaris AP 2.2, any commands that superuser runs in a Solaris environment are run by the root role in a Trusted Solaris environment. The root role runs with the profile shell (pfsh), and should not be changed to run with other shells.