The Security Administrator role can assign forced privileges to an executable file for a command by using the File Manager Privileges dialog box or by entering the setfpriv(1) command in a profile shell, as described under "To Give Forced Privileges to a Command".
When a command with forced privileges is executed by any user in any shell, the forced privileges are put into the effective set of the executing program. The only way to prevent a user from executing such a command with privilege is to control access to the command itself. If you give the user only one profile shell to use, and do not assign the command, the user cannot execute the command.
To change the privileges on an executable file, the process's label must allow MAC write access to the file. The process does not require DAC write permission. The default Security Administrator role can change the privileges on an executable file in an admin_low
workspace. The forced and allowed privilege sets of a file can be changed by:
The owner of the file or
A process with the file_setpriv
privilege or
An account with the Set File Privileges authorization
When you assign forced privileges using the File Manager Privileges dialog box, the software automatically assigns the same set of allowed privileges. However, the setfpriv command requires you to set the allowed and forced set appropriately in the same command line.