test

System Administration Guide: Security Services

ProcedureHow to Change the Properties of a Role

Before You Begin

You must have assumed the role of Primary Administrator or have switched to superuser to change the properties of a role. Role properties include password, rights profiles, and authorizations.

Note –

To change a role's password property, see How to Change the Password of a Role.

  1. Use one of the following methods to change the properties of a role.

    • Use the Users tool in the Solaris Management Console.

      To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a role in Administrative Roles. For more extensive information, see the online help.

    • Use the rolemod command.

      This command modifies the attributes of a role that is defined in the local name service.


      $ rolemod -c comment -P profile-list rolename
      -c comment

      Is the new comment that describes the capabilities of the role.

      -P profile-list

      Is the list of the profiles that are included in the role. This list replaces the current list of profiles.

      rolename

      Is the name of an existing, local role that you want to modify.

      For more command options, see the rolemod(1M) man page.

    • Use the smrole command with the modify subcommand.

      This command modifies the attributes of a role in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.


      $ /usr/sadm/bin/smrole -D domain-name \ 
-r admin-role -l <Type admin-role password> \
modify -- -n rolename  -r username -u username
      -D domain-name

      Is the name of the domain that you want to manage.

      -r admin-role

      Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

      -l

      Is the prompt for the password of admin-role.

      --

      Is the required separator between authentication options and subcommand options.

      -n rolename

      Is the name of the new role.

      -r username

      Is the name of the user who can no longer assume rolename.

      -u username

      Is the name of the user who can now assume rolename.

      For more command options, see the smrole(1M) man page.

Example 9–16 Changing a Local Role's Properties With the rolemod Command

In this example, the operadm role is modified to include the Media Restore rights profile.


$ rolemod -c "Handles printers, backup, AND restore" \
-P "Printer Management,Media Backup,Media Restore,All" operadm
Example 9–17 Changing a Local Role's Properties With the smrole modify Command

In the following example, the operadm role is modified to add the Media Restore rights profile.


$ /usr/sadm/bin/smrole -r primaryadm -l <Type primaryadm password> \
modify -- -n operadm -c "Handles printers, backup, AND restore" \
-p "Media Restore"
Example 9–18 Changing a Role in a Domain With the smrole modify Command

In the following example, the clockmgr role is changed. The NIS user whose ID is 108 can no longer assume the role. The NIS user whose ID is 110 can assume the role clockmgr.


$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n clockmgr -r 108 -u 110