Trusted applications and authorizations can be grouped into packages called rights profiles for assignment to user or role accounts. The main purpose of a rights profile is to provide limited override power to a user or role that needs this capability.
The potential contents of a rights profile are:
CDE actions with or without real and effective UIDs and GIDs, privileges, process labels, and clearances
Commands with or without real and effective UIDs and GIDs, privileges, process labels, and clearances
To assign rights profiles to users, you open the User Properties dialog box from the Users tool in the Solaris Management Console (SMC) and select the Rights tab, as shown in the following figure. The rights profiles not assigned to the current user or role are displayed in the Excluded column on the left and must be moved to the right column for assignment to the current account. For more information, see the online help. In similar fashion, you can make changes to roles through the Administrative Roles dialog box in the Users tool.
The Trusted Solaris environment provides a set of predefined rights profiles (see the following table). Before you assign any of these rights profiles, you should familiarize yourself with their contents. To view the contents of predefined rights profiles, use the -list option of the smprofile command (see "Displaying Rights Profile Information") or the Rights dialog box. The profiles can be modified according to the needs of your organization.
Table 1-2 Rights Profile Descriptions
Rights Profile |
Purpose |
---|---|
Provides access to all executables but without privileges. |
|
All Actions |
Provides access to all actions but without privileges. |
Provides all authorizations (for testing). |
|
All Commands |
Provides access to all commands but without privileges. |
For managing the audit subsystem but without the ability to read files. |
|
For reading the audit trail. |
|
Provides access to the applications on the Front Panel with the necessary privileges. |
|
Provides access to basic commands necessary for all roles. |
|
Basic Solaris User |
Assigned to all users of the Solaris Management Console. Provides Read permissions and lets users add cron jobs to their crontab files. Contains the All rights profile. |
Provides authorizations for normal users. |
|
For managing cron and at jobs. |
|
An empty right for adding security attributes to the default Admin role. |
|
An empty right for adding security attributes to the default Oper role. |
|
An empty right for adding security attributes to the default Root role. |
|
An empty right for adding security attributes to the default Secadmin role. |
|
Custom SSP |
An empty right for adding security attributes to the default SSP role for Sun EnterpriseTM 10000 administration. |
Device Management |
For allocating and deallocating devices, and correcting error conditions. |
For managing and configuring devices. |
|
Provides the authorization for allowing yourself and other users to log in after boot. |
|
For managing file systems. |
|
For managing file system labels and other security attributes. |
|
Information Security |
For setting access control policy. |
For configuring sendmail, modifying aliases, and checking mail queues. |
|
Provides commands needed to maintain or repair a system. |
|
For backing up files. |
|
Restore files from backup. |
|
Name Service Management |
Grants right to control the name service daemon. |
Name Service Security |
Grants right to control the name service properties and table data. |
For managing the host and network configuration. |
|
Network Security |
For managing network and host security, with authorizations for modifying trusted network databases. |
For changing ownership and permissions on files. |
|
For changing labels of files and setting up system-wide labels. |
|
For changing privileges on executable files. |
|
For operating outside system accreditation range. |
|
Primary Administrator |
Contains subordinate rights profiles for primary administrator role. |
For developers to run Bourne, Korn, and C shells with all privileges. Not intended for secure environments. |
|
For managing current processes, including cron and at jobs. |
|
Remote Administration | For remote administration of headless systems. |
Rights Delegation |
Lets user or role assign rights assigned to that user or role to other users or roles. Lets user assign roles assigned to that user to other users. |
Rights Security |
For managing assignment of rights profiles, labels, and privileges, and for setting account security. |
Software Installation |
For adding application software to the system. |
SSP Administration |
Tools for administering the SSP. |
SSP Installation |
Tools for installing the SSP. |
System Administrator |
Contains subordinate rights profiles for system administrator role. |
For creating and modifying users but without the ability to modify self (as a security measure). |
|
For creating and modifying users' security attributes but without the ability to modify self (as a security measure). |
Use the smprofile -list command to obtain various rights profile information. This command displays the contents of any profile for all users or specified users and optionally displays the contents of the profiles. See the smprofile(1) man page for examples. Another option for displaying rights profile information is the profiles(1) command.
If the predefined rights profiles as they are shipped are not appropriate for your organization, they can be modified by the security administrator, or another role with equivalent powers. Use the Rights dialog box to edit the contents of rights profiles. The Rights dialog box is accessed from the Users tool in the Solaris Management Console. For more information, see the online help.