Trusted Solaris Installation and Configuration

How to Modify a Role's Rights

When setting up a network or custom JumpStart install, some required commands may not be available to the role because they are in a path that is not assigned to the role. To add commands, programs, or scripts to the role's rights, the security administrator must modify the role's rights.

To Add a Command to a Role's Rights
  1. Log in as a user who can assume the role secadmin and assume it.

  2. In the secadmin role, at label ADMIN_LOW, invoke the Solaris Management Console from the Application Manager.

  3. Click the appropriate toolbox under Trusted Solaris Management Console.

    • Choose this_host: Scope=Files, Policy=TSOL if you are adding a command for a locally-defined role, or are not using a name service.

    • Choose name_server: Scope=name_service, Policy=TSOL if you are adding a command for a role defined on the network, such as for the admin role when setting up network install.

  4. In the Navigation pane, click Trusted Solaris Configuration, then Users, then double-click Rights. Enter the role password when prompted.


    Note -

    If toolbox icons display as red stop signs, the toolboxes will not load. To load them, do Step 4.


  5. In the View pane, scroll to the Custom Rolename Role and double-click.

  6. Follow the online help for assistance in setting up the Custom Rolename Role right.

    For a network installation example, use the Commands tab to add the add_install_client command from a non-standard directory, such as /export/ultra_install/sparc/tsol_policy/Trusted_Solaris_8/Tools to the Custom Admin Role right. The command should have all privileges.

  7. Make sure that the Custom Rolename Role right is assigned to Rolename. If it is not, assign it to Rolename.

    1. Navigate to Administrative Roles.

    2. Double-click the Rolename role.

    3. Click the Rights tab.

    4. Open the rights displayed in the Granted Rights column.

      If the Custom Rolename Role right is not granted, continue. If it has already been granted, click the Cancel button.

    5. Add Custom Rolename Role to the role's Granted Rights.

    6. Click OK to save your work.

  8. Return to the procedure and chapter you are working from.

To Verify That a Command is Available to a Role
  1. Log in as a user who can assume the role whose profile has been updated.

  2. Assume the role and launch a terminal from the role's workspace.

  3. Verify that the new profile is in effect in the new terminal by using the profiles(1) command.

    For example, to verify that the command in the network installation example is included in the admin role's rights profile with all privileges, as admin enter the following:


    $ profiles -l | grep setup_install_server
    /export/ultra_install/sparc/tsol_policy/Trusted_Solaris_8/Tools/setup_install_server: all
  4. Return to the procedure and chapter you are working from.

To Remove a Command from a Role's Rights
  1. As secadmin, at label ADMIN_LOW, in the Solaris Management Console use the same toolbox that you used to add the command to the rights profile, and navigate to Rights.

  2. In the View pane, select the Custom Rolename Profile.

  3. Follow the online help for how to remove the command from the profile.

  4. Return to the procedure and chapter you are working from.