System Administration Guide: Security Services

ProcedureHow to Create or Change a Rights Profile

A rights profile is a property of a role. You should create or change a rights profile when the prof_attr database does not contain a rights profile that fulfills your needs. To learn more about rights profiles, see RBAC Rights Profiles.

Before You Begin

To create or change a rights profile, you must have assumed the role of Primary Administrator or have switched to superuser.

  1. Use one of the following methods to create or change a rights profile.

    • Use the Users tool in the Solaris Management Console.

      To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to create or change a rights profile in Rights. For more extensive information, see the online help.

    • Use the smprofile command.

      This command enables you to add, modify, list, or delete a rights profile. The command works on files, and in a distributed name service, such as NIS, NIS+, or LDAP. The smprofile command runs as a client of the Solaris Management Console server.


      $ /usr/sadm/bin/smprofile -D domain-name \ 
      -r admin-role -l <Type admin-role password> \
      add | modify -- -n profile-name \
      -d description  -m help-file -p supplementary-profile
      
      -D domain-name

      Is the name of the domain that you want to manage.

      -r admin-role

      Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.

      -l

      Is the prompt for the password of admin-role.

      --

      Is the required separator between authentication options and subcommand options.

      -n profile-name

      Is the name of the new profile.

      -d description

      Is a short description of the profile.

      -m help-file

      Is the name of the HTML help file that you have created and placed in the /usr/lib/help/profiles/locale/C directory.

      -p supplementary-profile

      Is the name of an existing rights profile that is included in this rights profile. You can specify multiple -p supplementary-profile options.

      For more command options, see the smprofile(1M) man page.


Example 9–19 Modifying a Rights Profile From the Command Line

In the following example, the Network Management rights profile is made a supplementary profile of the Network Security rights profile. The role that contains the Network Security profile can now configure the network and hosts, as well has run security-relevant commands.


$ /usr/sadm/bin/smprofile -D nisplus:/example.host/example.domain \
-r primaryadm -l <Type primaryadm password> \
modify -- -n "Network Security" \
-d "Manage network and host configuration and security" \
-m RtNetConfSec.html -p "Network Management"

The administrator created a new help file, RtNetConfSec.html, and placed it in the /usr/lib/help/profiles/locale/C directory, before running this command.



Example 9–20 Creating a New Rights Profile With the Rights Tool

The following table shows sample data for a hypothetical rights profile that is called “Build Administrator”. This rights profile includes the commands in the subdirectory /usr/local/swctrl/bin. These commands have an effective UID of 0. The Build Administrator rights profile would be useful for administrators who manage the builds and versioning for software development.

Tab 

Field 

Example 

General 

Name 

Build Administrator 

 

Description 

For managing software builds and versioning. 

 

Help File Name 

BuildAdmin.html

Commands 

Add Directory 

Click Add Directory, type /usr/local/swctrl/bin in the dialog box, and click OK.

 

Commands Denied / Commands Permitted 

Move /usr/local/swctrl/bin to the Commands Permitted column.

 

Set Security Attributes 

Select /usr/local/swctrl/bin, click Set Security Attributes, and set Effective UID = root.

Authorizations 

Authorizations Excluded / Authorizations Included 

No authorizations.

Supplementary Rights 

Rights Excluded / Rights Included 

No supplementary rights profiles.


Troubleshooting

Check the following if the rights profile does not provide the role with the capabilities that you expect: