RBAC Roles

A role is a special type of user account from which you can run privileged applications. Roles are created in the same general manner as user accounts, with a home directory, groups, password, and so on. The capabilities of a role are a function of the rights profiles and authorizations that are assigned to it. Roles do not have inheritance.

When a user assumes a role, the role's attributes replace all user attributes. Role information is stored in the passwd, shadow, user_attr, and audit_user databases. For detailed information on setting up roles, see Configuring Recommended Roles, Creating Roles, and Changing Role Properties.

All users who can assume the same role have the same role home directory, operate in the same environment, and have access to the same files. Users can assume roles from the command line by running su and supplying the role name and password. Users can also assume a role when they open a Solaris Management Console tool.

Users cannot log in directly to a role. For this reason, it is useful to make root a role to prevent anonymous root login. See Making Root a Role. Users must log in to their user account first. A user cannot assume a role directly from another role. A user's real UID can always be audited.

No predefined roles are shipped with the Solaris 9 software. As stated earlier in this chapter, you can easily configure the three recommended roles.