User properties include password, rights profiles, roles, and authorizations. The most secure method of giving a user administrative capabilities is to assign a role to the user. For a discussion, see Security Considerations When Directly Assigning Security Attributes.
You must either assume a role that includes the Primary Administrator rights profile, or switch to the user root.
Use one of the following methods to change the RBAC properties of a user.
Use the Users tool in the Solaris Management Console.
To start the console, see How to Assume a Role in the Solaris Management Console. Follow the instructions in the left-hand pane to modify a user in User Accounts. For more extensive information, see the online help.
It is not good practice to assign authorizations, privileges, or rights profiles directly to users. The preferred approach is to assign a role to users. Users then assume a role to perform privileged operations.
This command modifies the attributes of a user that is defined in the local name service.
$ usermod -R rolename username |
Is the name of an existing local role.
Is the name of an existing, local user that you want to modify.
For more command options, see the usermod(1M) man page.
Use the smuser command with the modify subcommand.
This command modifies the attributes of a user in a distributed name service, such as NIS, NIS+, or LDAP. This command runs as a client of the Solaris Management Console server.
$ /usr/sadm/bin/smuser -D domain-name \ -r admin-role -l <Type admin-role password> \ modify -- -n username -a rolename |
Is the name of the domain that you want to manage.
Is the name of the administrative role that can modify the role. The administrative role must have the solaris.role.assign authorization. If you are modifying a role that you have assumed, the role must have the solaris.role.delegate authorization.
Is the prompt for the password of admin-role.
Is the required separator between authentication options and subcommand options.
Is the name of the user who is being assigned rolename.
Is the name of the role that you are assigning to username. You can specify multiple -a rolenameoptions.
For more command options, see the smuser(1M) man page.
In this example, the user jdoe can now assume the role of System Administrator.
$ usermod -R sysadmin jdoe |
This role is added the roles that the user can assume.
In this example, the user jdoe is assigned two roles, System Administrator and Operator. Because the user and the roles are defined locally, the -D option is not necessary.
$ /usr/sadm/bin/smuser -r primaryadm -l <Type primaryadm password> \ modify -- -n jdoe -a sysadmin -a operadm |
In the following example, the user is defined in the NIS name service. Therefore, the -D option is required. Two roles are defined in the name service. One role, root, is defined locally.
$ /usr/sadm/bin/smuser -D nis:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ modify -- -n jdoe -a sysadmin -a operadm -a root |