This feature enables you to distribute refined permissions to specific users, groups, or everyone. Two types of delegated permissions are supported:
Individual permissions can be explicitly specified such as create, destroy, mount, snapshot, and so on.
Groups of permissions called permission sets can be defined. A permission set can later be updated and all of the consumers of the set automatically get the change. Permission sets begin with the @ symbol and are limited to 64 characters in length. After the @ character, the remaining characters in the set name have the same restrictions as normal ZFS file system names.
ZFS delegated administration provides similar features to the RBAC security model. This feature provides the following advantages for administering ZFS storage pools and file systems:
Permissions follow the ZFS storage pool when the pool is migrated.
Provides dynamic inheritance where you can control how the permissions propagate through the file systems.
Can be configured so that only the creator of a file system can destroy the file system.
You can distribute permissions to specific file systems. Newly created file systems can automatically pick up permissions.
Provides simple NFS administration. For example, a user with explicit permissions could create a snapshot over NFS in the appropriate .zfs/snapshot directory.
Consider using delegated administration for distributing ZFS tasks. For information about using RBAC to manage general Solaris administration tasks, see Part III, Roles, Rights Profiles, and Privileges, in System Administration Guide: Security Services.
You control the delegated administration features by using the pool's delegation property. For example:
# zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation on default # zpool set delegation=off users # zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation off local |
By default, the delegation property is enabled.