Role Assumption

A role identity can be assumed only when a WBEM user selects the Remote Method Invocation (RMI) protocol. Role assumption is not supported by the XML/HTTP protocol.

The Solaris implementation of WBEM supports the ability of a client to assume the identity of a Solaris role when that client is authenticated by the CIM Object Manager on the WBEM server. When the WBEM server uses RBAC authorizations to check authorization permission, the WBEM server checks the permission that is granted to the assumed role rather than the permission that is granted to the underlying user identity.

RBAC roles are described in more detail in “Role-Based Access Control (Overview)” in System Administration Guide: Security Services.

The client must provide the Solaris role identity and password, in addition to a Solaris user identity and password when the client attempts to connect.

If the WBEM server cannot verify the Solaris role identity, the WBEM server returns a CIM security exception that includes the NO_SUCH_ROLE error.

If the role password is invalid for the specified role identity, the WBEM server returns the INVALID_CREDENTIAL error in the CIM security exception.

If both the role identity and role password are valid, but the user is not allowed to assume the role, the WBEM server returns the CANNOT_ASSUME_ROLE error in the CIM security exception.