Assigning Roles to Users

The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role-name command) even if the user has the correct password.

Create a Role and Assign the Role to a User

1. Create a role.

   # roleadd -A solaris.ldoms.read ldm_read

2. Assign a password to the role.

   # passwd ldm_read

3. Assign the role to a user; for example, user_1.

   # useradd -R ldm_read user_1

4. Assign a password to the user (user_1).

   # passwd user_1

5. Assign access only to the user_1 account to become the ldm_read account.

   # su user_1

6. Type the user password when or if prompted.

7. Verify the user ID and access to the ldm_read role.

   $ id uid=nn(user_1) gid=nn(<group name>) $ roles ldm_read

8. Provide access to the user for ldm subcommands that have read authorization.

   # su ldm_read

9. Type the user password when or if prompted.

10. Type the id command to show the user.

    $ id uid=nn(ldm_read) gid=nn(<group name>)