Extended User Attributes Database (user_attr) (System Administration Guide, Volume 2)

System Administration Guide, Volume 2

Extended User Attributes Database (`user_attr`)

The /etc/user_attr database supplements the passwd and shadow databases. It contains extended user attributes such as authorizations and execution profiles. It also allows roles to be assigned to a user.

A role is a special type of user account that is intended for performing a set of administrative tasks. It is like a normal user account in most respects except that users can gain access to it only through the su command; it is not accessible for normal logins, for example, through the CDE login window. From a role account, a user can access commands with special attributes, typically root user ID, that are not available to users in normal accounts.

The fields in the user_attr database are separated by colons:

user:qualifier:res1:res2:attr

The fields are described in the following table.

Field Name	Description
`user`	The name of the user as specified in the passwd(4) database.
`qualifier`	Reserved for future use.
`res1`	Reserved for future use.
`res2`	Reserved for future use.
`attr`	An optional list of semicolon-separated (;) key-value pairs that describe the security attributes to be applied when the user runs commands. There are four valid keys: `auths`, `profiles`, `roles`, and `type`. `auths` specifies a comma-separated list of authorization names chosen from names defined in the auth_attr(4) database. Authorization names may include the asterisk () character as a wildcard. For example, `solaris.device.` means all of the Solaris device authorizations. `profiles` contains an ordered, comma-separated list of profile names chosen from prof_attr(4). A profile determines which commands a user can execute and with which command attributes. At minimum each user in `user_attr` should have the `All` profile, which makes all commands available but without any attributes. The order of profiles is important; it works similarly to UNIX search paths. The first profile in the list that contains the command to be executed defines which (if any) attributes are to be applied to the command. `roles` can be assigned to the user using a comma-separated list of role names. Note that roles are defined in the same `user_attr` database. They are indicated by setting the type value to `role`. Roles cannot be assigned to other roles. `type` can be set to normal, if this account is for a normal user, or to role, if this account is for a role. A role is assumed by a normal user after the user has logged in.

A user_attr database with typical values is shown in the following example.

A typical role assignment is illustrated in the following user_attr database. In this example, the sysadmin role has been assigned to the user johndoe. When assuming the sysadmin role, johndoe has access to such profiles as Device Management, Filesystem Management, and the All profile.