Understanding Authorizations
An authorization is a discrete right granted to a user or role that is checked by certain trusted applications to determine whether the user is permitted to execute a restricted function. For example, in a conventional system, the file manager allows superuser only to change the ownership of a file. In the Trusted Solaris operating environment, the authorization Change File Owner is required.
An authorization has a name, which is used internally and in files (for example, solaris.file.owner) , and a short description, which appears in the graphical interfaces (for example, Act as File Owner). By convention, authorization names begin with the reverse order of the internet name followed by the subject area, any subarea, and the function, all separated by dots, for example, com.xyzcorp.device.access. The exceptions to this convention are authorizations from Sun Microsystems, Inc., which use the prefix solaris. instead of an internet name. This convention enables administrators to apply authorizations in a hierarchical fashion using a wildcard (*) to represent any strings to the right of a dot.
The authorizations provided in the Trusted Solaris environment are shown in the following table.
Table 1-3 Authorizations|
Authorization Category |
Authorization Name -- Short Description |
|---|---|
|
solaris.admin.dcmgr.* |
solaris.admin.dcmgr.admin--Manage OS Services and Patches solaris.admin.dcmgr.clients--Manage Diskless Clients solaris.admin.dcmgr.read--View OS Services, Patches and Diskless Clients |
|
solaris.admin.diskmgr.read--View Disks solaris.admin.diskmgr.write--Manage disks |
|
|
solaris.admin.fsmgr.* |
solaris.admin.fsmgr.write--Mount and Share Files solaris.admin.fsmgr.read--View Mounts and Shares |
|
solaris.admin.logsvc.* |
solaris.admin.logsvc.write--Manage Log Settings solaris.admin.logsvc.purge--Remove Log Files solaris.admin.logsvc.read - View Log Files |
|
solaris.admin.nameservice.* |
solaris.admin.nameservice.config--Name Service Configuration |
|
solaris.admin.printer.* |
solaris.admin.printer.read--View Printer Information solaris.admin.printer.modify--Update Printer Information solaris.admin.printer.delete--Delete Printer Information |
|
solaris.admin.procmgr.* |
solaris.admin.procmgr.admin--Manage All Processes solaris.admin.procmgr.user--Manage Owned Processes |
|
solaris.admin.serialmgr.* |
solaris.admin.serialmgr.modify--Manage Serial Ports solaris.admin.serialmgr.delete--Delete Serial Ports solaris.admin.serialmgr.read--View Serial Ports |
|
solaris.admin.usermgr.* |
solaris.admin.usermgr.audit--Set User Audit Info solaris.admin.usermgr.write--Manage Users solaris.admin.usermgr.psword--Change Password solaris.admin.usermgr.read--View Users and Roles solaris.admin.usermgr.labels--Set User Label Info |
|
solaris.audit.* |
solaris.audit.config--Configure Auditing solaris.audit.read--Read Audit Trail |
|
solaris.compsys.* |
solaris.compsys.read--View Computer System Information solaris.compsys.write--Manage Computer System Information |
|
solaris.device.* |
solaris.device.allocate--Allocate Device solaris.device.config--Configure Device Attributes solaris.device.grant--Delegate Device Administration solaris.device.revoke--Revoke or Reclaim Device |
|
solaris.file.* |
solaris.file.audit--Set File Audit Attributes solaris.file.chown--Change File Owner solaris.file.privs--Set File Privilege solaris.file.owner--Act as File Owner |
|
solaris.grant |
solaris.grant--Grant All Solaris Authorizations |
|
solaris.jobs.* |
solaris.jobs.admin--Manage All Jobs solaris.jobs.grant--Delegate Cron & At Administration solaris.jobs.user--Manage Owned Jobs |
|
solaris.label.* |
solaris.label.print--View Printer Queue at All Labels solaris.label.file.downgrade--Downgrade File Label solaris.label.file.upgrade--Upgrade File Label solaris.label.range--Set Label Outside User Accred Range solaris.label.win.downgrade--Downgrade DragNDrop or CutPaste Info solaris.label.win.noview--DragNDrop or CutPaste without viewing contents solaris.label.win.upgrade--Upgrade DragNDrop or CutPaste Info |
|
solaris.login.* |
solaris.login.enable--Enable Logins solaris.login.remote--Remote Login solaris.login.su--Switch User Without Trusted Path |
|
solaris.network.* |
solaris.network.hosts.read--View Computers and Networks solaris.network.hosts.write--Manage Computers and Networks solaris.network.security.write--Manage Trusted Networking solaris.network.security.read--View Trusted Networking |
|
solaris.print.* |
solaris.print.admin--Administer Printer solaris.print.list--List Jobs in Printer Queue solaris.print.cancel--Cancel Print Job solaris.print.nobanner--Print without Banner solaris.print.ps--Print Postscript solaris.print.unlabeled--Print without Label |
|
solaris.profmgr.* |
solaris.profmgr.assign--Assign All Rights solaris.profmgr.delegate--Assign Owned Rights solaris.profmgr.execattr.write--Manage Commands solaris.profmgr.read--View Rights solaris.profmgr.write--Manage Rights |
|
solaris.role.* |
solaris.role.assign--Assign All Roles solaris.role.delegate--Assign Owned Roles solaris.role.write--Manage Roles |
|
solaris.system.* |
solaris.system.date--Set Date & Time solaris.system.shutdown--Shutdown the System |
For a complete list of authorizations, see the /etc/security/auth_attr file. Authorizations are assigned to rights profiles using the Rights dialog box in the SMC User Manager.
- © 2010, Oracle Corporation and/or its affiliates