Managing Users and Rights (Tasks)

To List All Rights

Once the SMC is initialized, users or roles can view one rights profile at a time in the Rights tool under Users in the SMC, or use the smprofile(1M) command described below to see a list of all profiles.

1. Assume the Security or System Administrator role.

2. To list the rights profiles in a name service domain, use the smprofile list command with the -D option to specify the name_service_type:/server_name/domain_name. Provide a password when prompted.

   The following example lists the profiles that are defined in the NIS+ domain tropics.example.com whose NIS+ master server is toucan. The command is being executed on the tern system:

   $ /usr/sadm/bin/smprofile list -D nisplus:/toucan/tropics.example.com -- Authenticating as user: janez Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: rolePassword Loading Tool: usermgr.cli.profile.UserMgrProfCli from tern Login to tern as user janez, role admin was successful. Download of usermgr.cli.profile.UserMgrProfCli from tern was successful. Profile name: All Actions Description: A complete set of actions (no commands) without any privilege. Profile name: All Authorizations Description: Grant all authorizations. Profile name: All Commands Description: A complete set of commands (but no actions) without any privilege. Profile name: All Description: Execute all commands and actions. ... Profile name: User Security Description: Manage passwords, clearances. Profile name: Trusted Edit Description: Use the trusted_edit script when editing.

   The following example lists the security attributes of the All profile.

   $ /usr/sadm/bin/smprofile list \ -D nisplus:/toucan/tropics.example.com -- -l -n All ... Profile name: All Description: Execute all commands and actions help: RtAll.html Command: *;*;*;*;* policy: tsol type: act Command: * policy: tsol type: cmd

To Create a Help File for a Rights Profile

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

2. Using the Admin Editor, open a new help file with an.html extension in the directory /usr/lib/help/profiles/locale/locale/.

   For example, FilePriv.html.

3. In the help file, describe the rights profile you have added.

   Follow the online help when creating the help file. For example:

   <HTML> <HEAD> Copyright (c) 2001 by Sun Microsystems, Inc. All rights reserved. <!-- SCCS keyword #pragma ident "%Z%%M% %I% %E% SMI; TSOL 2.x" --> <!-- FilePriv.html --> </HEAD> <BODY> Allows a user to specify the allowed and forced privileges to be associated with the execution of a program file. <P> If the name of the file privileges rights profile is grayed, you are not allowed to add or remove it. </BODY> </HTML>

4. Save and quit the new help file.

5. Enter the name of the help file in the Help File Name: field when creating the right.

To Create a Rights Profile

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

2. Create a help file for the new rights profile.

   Use the procedure "To Create a Help File for a Rights Profile".

3. Bring up the SMC in the desired scope and click the Users tool. Supply a password when prompted.

4. Double-click the Rights tool.

5. To create a rights profile, select Add Right from the Action menu.

   Use the online help when creating the new right.

6. Name the profile Custom rolename Role, and describe it.

   For example, for a role whose username is auditadmin, you would create an empty Custom Auditadmin Role profile. In the profile's description you would enter:

   Modify this rights profile to customize the Audit Administrator role

7. Select the action or command to add to the right.

   See the Trusted Solaris man pages for individual commands for the security attributes needed by the command or any of its options to succeed. For example, if the command requires privilege to accomplish a task, adding the privilege to the command enables it to execute with the specified inherited privileges when a user or role has been assigned this rights profile.

8. Click the Set Security Attributes button to enter the information requested in the help for the Ownership and Extended Attributes areas.

   For example, by adding the name of an installation program to a rights profile, assigning to the program a real UID of 0, and then assigning the profile to a role, the Security Administrator can enable an installation program to succeed when run by a role that has another UID, such as the System Administrator role.

9. Add authorizations if needed.

   A rights profile can contain commands only, actions only, authorizations only, or a combination of commands, actions, and authorizations.

10. Click OK to save the new rights profile.

To Modify a Rights Profile

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

2. Bring up the SMC in the desired scope and click the Users tool. Supply a password when prompted.

3. Double-click the Rights tool, select the profile, then choose Properties from the Action menu.

   Refer to the online help when modifying the right.

4. Click OK to save the rights profile.

To Create a User Template

1. Assume the System Administrator role and go to an ADMIN_LOW workspace.

2. Bring up the SMC Users tool. If you are using a name service, do this procedure on the name service master.

3. Supply a password when prompted.

4. Click the User Templates tool.

5. Choose Add User Template from the Action menu.

6. Decide on a Login Shell.

   You can assign a profile shell to users by choosing other and then typing in the path to a profile shell: /bin/pfsh, /bin/pfcsh, or /bin/pfksh. While working in a profile shell, an account can execute only those commands that are in the account's set of profiles. See the pfexec(1) man page for descriptions of the profile shells.

   The Bourne, Korn, and C shells allow the account to execute all available commands that do not need to inherit privilege. See the following man pages for more information about the listed shells: csh(1), ksh(1), bash(1), tsh(1), zsh(1).

7. Use the online help to guide you through the General, Group, Home Directory, Sharing, Password Options, and Mail tabs.

   The following is a text example of a User Template.

   Template Name: Desktop User Template Description: Users with C-shells General - Login shell = C Shell - Account is Always Available Group - Primary Group = staff - Secondary Groups = writers Home Directory - Server = /net/egret.aviary - Path = /net/egret/export/home Append User Names to path above - Skeleton directory = /etc/skel/Csh - Automatically mount Home Directory Sharing - Group members have Read-only Access - All users have Read-only Access Password Options - User must keep for 31 days - Before change, alert user 5 days - User must change within 5 days - Expires if not used for 31 days Mail Server - /net/pigeon.aviary

8. Click OK when finished to save the template.

To Add a User Account

1. Assume the System Administrator role and go to an ADMIN_LOW workspace.

2. Bring up the SMC in the desired scope and click the Users tool. Supply a password when prompted.

3. Double-click User Accounts.

   All configured users are displayed as icons labeled with their usernames.

4. Choose one of the following from the Action menu:

   • Add User->With Wizard

   • Add User->From Template

     To use the From Template option, you need to first create a template. See "To Create a User Template" for the procedure.

   Depending on whether you use the Wizard or Template method, some fields will not be available.

5. Enter the user's name and ID.

   User names and UIDs must be unique to ensure traceability of activities back to a single identified user. Therefore, each user name and UID should not be duplicated anywhere on the network, and should not be reused during the life of the system.

6. Enter a description.

   The description will appear in the user's email From field. For example,

   From: Bar Bar -- Useful Worker

7. Continue to create the user, referring to the online help when necessary.

   Also see "Adding or Modifying a User Account" for guidance.

To Modify a User Account

The Security Administrator role follows this procedure to add user security attributes, such as passwords, to user accounts.

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

2. Bring up the SMC in the desired scope and click the Users tool. Supply a password when prompted.

3. Double-click the User Accounts tool, highlight the username, then choose Properties from the Action menu.

   Use the online help when modifying the user's properties.

4. Click OK when you have entered all the changes.

To Assign a Right to a User

The right must exist before assigning it. See "Managing Users and Rights (Tasks)" for creating a rights profile.

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

2. Bring up the SMC in the desired scope and click the Users tool. Supply a password when prompted.

3. Double-click the User Accounts tool, highlight the username, then choose Properties from the Action menu.

   Use the online help when modifying the user's security attributes.

4. Click the Rights tab.

5. Order the rights profiles appropriately. Move the new right above the All profile, and further up if necessary.

   When the user invokes a command or action, the profile mechanism uses the first instance of the command or action, with its security attributes. So, if two rights profiles share a command, and both are assigned to one user or role, the command in the first profile is executed, with its attendant security attributes. The same command in the second profile is not seen by the profile mechanism.

6. Click OK when you have entered all the changes.

To Assign an Authorization to a User

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

2. Launch the Solaris Management Console and choose the appropriate scope. If you are using a name service, choose the name service scope.

3. Click Users and supply a password when prompted.

4. Double-click the Rights tool to create a new right with the authorization, if necessary. Save the new right.

   See "To Create a Help File for a Rights Profile" and "To Create a Rights Profile" for the steps.

5. Add the new rights profile to the user's rights by opening the User Accounts tool, selecting the user, and editing the user's properties.

   Use the online help for guidance.