This section describes role-based access control (RBAC) in Sun Cluster Geographic Edition software. It contains the following sections:
Sun Cluster Geographic Edition software bases its RBAC profiles on the RBAC rights profiles that are used in the Sun Cluster software. For general information about setting up and using RBAC with Sun Cluster software, refer to Chapter 2, Sun Cluster and RBAC, in Sun Cluster System Administration Guide for Solaris OS.
Sun Cluster Geographic Edition software adds the following new RBAC entities to the appropriate file in the /etc/security directory:
RBAC authentication names to auth_attr
RBAC execution profiles to prof_attr
RBAC execution attributes to exec_attr
The default search order for the auth_attr and prof_attr databases is files nis, which is defined in the /etc/nsswitch.conf file. If you have customized the search order in your environment, confirm that files is in the search list. Including files in the search list enables your system to find the RBAC entries that Sun Cluster Geographic Edition defined.
The Sun Cluster Geographic Edition CLI and GUI use RBAC rights to control end-user access to operations. The general conventions for these rights are described in Table 4–1.
Table 4–1 Sun Cluster Geographic Edition RBAC Rights Profiles
Rights Profile |
Included Authorizations |
Role Identity Permission |
---|---|---|
Geo Management |
solaris.cluster.geo.read |
Read information about the Sun Cluster Geographic Edition entities |
solaris.cluster.geo.admin |
Perform administrative tasks with the Sun Cluster Geographic Edition software |
|
solaris.cluster.geo.modify |
Modify the configuration of the Sun Cluster Geographic Edition software |
|
Basic Solaris User |
Solaris authorizations |
Perform the same operations that the Basic Solaris User role identity can perform |
solaris.cluster.geo.read |
Read information about the Sun Cluster Geographic Edition entities |
When you grant authorization to users other than superuser, you must do so on all nodes of both partner clusters. Otherwise, some operations that have a global scope might fail, due to insufficient user rights on one or more nodes in the partnership.
To modify the RBAC rights for a user, you must be logged in as superuser or assume a role that is assigned the Primary Administrator rights profile.
For example, you can assign the Geo Management RBAC profile to the user admin as follows:
# usermod -P "Geo Management" admin # profiles admin Geo Management Basic Solaris User # |
For more information about how to modify the RBAC properties for a user, refer to Chapter 2, Sun Cluster and RBAC, in Sun Cluster System Administration Guide for Solaris OS.