Role-Based Access Control

Traditional superuser-based systems grant full superuser powers to anyone who can become superuser. With role-based access control (RBAC) in the Solaris 8 operating environment, administrators can assign limited administrative capabilities to normal users. This is achieved through three new features:

• Authorizations -- user rights that grant access to a restricted function

• Execution profiles -- bundling mechanisms for grouping authorizations and commands with special attributes, typically superuser ID

• Roles -- special types of user accounts intended for performing a set of administrative tasks

The administrator creates an execution profile containing authorizations and privileged commands for a specific task or set of tasks. That profile can be assigned directly to a user or to a role. Roles, in turn, are assigned to users. To gain access to a role, a user with the assigned role executes the su command. Roles have the advantage of being shared accounts that do not need to be updated when individual responsibilities change. The following new files support RBAC:

• /etc/user_attr -- stores extended security attributes related to users and roles

• /etc/security/auth_attr -- lists and describes authorizations

• /etc/security/prof_attr -- lists execution profiles and associated authorizations

• /etc/security/exec_attr -- associates execution attributes with execution profiles

• /etc/security/policy.conf -- provides the security policy configuration for user-level attributes

For more information, see System Administration Guide, Volume 2