You must either assume a role that includes the Primary Administrator rights profile, or switch to the user root to change the properties of a role. Role properties include password, rights profiles, and authorizations.
To change a role's password property, see How to Change the Password of a Role.
Use one of the following methods to change the properties of a role.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a role in Administrative Roles. For more extensive information, see the online help.
Use the rolemod command.
$ rolemod -c comment -P profile-list rolename
Is the new comment that describes the capabilities of the role.
Is the list of the profiles that are included in the role. This list replaces the current list of profiles.
Is the name of an existing, local role that you want to modify.
For more command options, see the rolemod(1M) man page.
Use the smrole command with the modify subcommand.
$ /usr/sadm/bin/smrole -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n rolename -r username -u username
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the new role.
Is the name of the user who can no longer assume rolename.
Is the name of the user who can now assume rolename.
For more command options, see the smrole(1M) man page.
In this example, the operadm role is modified to include the Media Restore rights profile.
$ rolemod -c "Handles printers, backup, AND restore" \ -P "Printer Management,Media Backup,Media Restore,All" operadm
These rights profiles are added to the profiles that are granted through the policy.conf file.
In the following example, the operadm role is modified to add the Media Restore rights profile.
$ /usr/sadm/bin/smrole -r primaryadm -l <Type primaryadm password> \ modify -- -n operadm -c "Handles printers, backup, AND restore" \ -p "Media Restore"
In the following example, the clockmgr role is changed. The NIS user whose ID is 108 can no longer assume the role. The NIS user whose ID is 110 can assume the role clockmgr.
$ /usr/sadm/bin/smrole -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n clockmgr -r 108 -u 110