System Administration Guide: Security Services

Changing Role Properties

To change a role, you must either assume a role that has the Primary Administrator rights profile assigned to it, or run the User Tool Collection as root user if roles have not yet been set up.

How to Change a Role by Using the Administrative Roles Tool

Start the Administrative Roles tool.

To run the Administrative Roles tool, you need to start the Solaris Management Console, as described in How to Assume a Role in the Console Tools. Then, open the User Tool Collection, and click the Administrative Roles icon.

After the Administrative Roles tool starts, the icons for the existing roles are displayed in the view pane.

Click the role to be changed and select the appropriate item from the Action menu, as follows:

To change users who are assigned to a role, select Assign Administrative Role.

The Assign Administrative Role dialog box is displayed. The Assign Administrative Role dialog box is a modified version of the Role Properties dialog box and has a Users tab only. Use the Add field to assign a user in the current scope to this role. Use the Delete field to remove a user's role assignment. Click OK to save.
To change rights that are assigned to a role, select Assign Rights to Role.

The Assign Rights to Role dialog box is displayed. The Assign Rights to Role dialog box is a modified version of the Role Properties dialog box and has a Rights tab only. Use the Available Rights and Granted Rights columns to add or remove rights profiles for the selected role. Click OK to save.

To change any of the role's properties, select Properties (or simply double-click the role icon).

The Role Properties dialog box is displayed, which provides access to all role properties (see the following figure and table). Use the tabs to navigate to any information to be changed, make your changes, and click OK to save.

Figure 6–4 Role Properties Dialog Box

Dialog box titled Role Properties shows the Help pane and the tabs for General, Home Directory, Rights, Password, Users, and Group.

Table 6–2 Role Properties Summary


Tab	Tab Description
General	Specifies the role identification information and the default login shell.
Password	Specifies the role password.
Users	Specifies the users who are assigned to the role.
Group	Sets the role's primary groups and secondary groups for the purpose of accessing and creating files and directories.
Home Directory	Specifies the role's home directory, home directory server, automounting, and directory access.
Rights	Allows rights profiles to be assigned to the role. The precedence of the assigned rights profiles can be changed here.

How to Change a Role From the Command Line

Become superuser or assume a role that is capable of changing other roles.

Use the command that is appropriate for the task:
- Use the rolemod command to modify the attributes of a role that are defined locally.
- Use the roledel command to delete a role that is defined locally.
- Edit the user_attr file to change the authorizations or rights profiles that are assigned to a local role.
  
  This method is recommended for emergencies only, as it is easy to make a mistake while you are typing.
- Use the smrole command to modify the attributes of a role in a name service.
  
  This command requires authentication as superuser or as a role that is capable of changing other roles. The smrole command runs as a client of the Solaris Management Console server.