To verify each role, assume the role. Then, perform tasks that only that role can perform.
If you have configured DNS or routing, you must reboot after you create the roles and before you verify that the roles work.
For each role, log in as a user who can assume the role.
Open the Trusted Path menu.
In the role workspace, start the Solaris Management Console.
$ /usr/sbin/smc &
Select the appropriate scope for the role that you are testing.
Click System Services, and navigate to Users.
You are prompted for a password.
Click a user.
The System Administrator role should be able to modify fields under the General, Home Directory, and Group tabs.
If you configured the roles to enforce separation of duty, then the System Administrator role cannot set the user's initial password.
The Security Administrator role should be able to modify fields under all tabs.
If you configured the roles to enforce separation of duty, then the Security Administrator role cannot create a user.
The Primary Administrator role should be able to modify fields under all tabs.
(Optional) If you are enforcing separation of duty, prevent the default rights profiles from being used.
When the system is upgraded to a newer version of the Solaris OS, the System Administrator, User Management, and User Security default profiles are replaced.
In the trusted editor, perform one of the following steps:
Remove the three rights profiles from the prof_attr file.
Removal prevents an administrator from viewing or assigning these profiles. Also, remove the prof_attr.orig file.
Comment out the three rights profiles in the prof_attr file.
Commenting out the rights profiles prevents these profiles from being viewed in the Solaris Management Console or from being used in commands that manage users. The profiles and their contents can still be viewed in the prof_attr file.
Type a different description for the three rights profiles in the prof_attr file.
Edit the prof_attr file to change the description field of these rights profiles. For example, you might replace the descriptions with Do not use this profile. This change warns an administrator to not use the profile, but does not prevent the profile from being used.