System Administration Guide: Security Services

RBAC Commands

This section lists commands that are used to administer RBAC. Also provided is a table of commands whose access can be controlled by authorizations.

Command-Line Applications for Managing RBAC

In addition to editing the RBAC databases directly, the following commands are available for managing access to tasks with RBAC.

Table 7–7 RBAC Administration Commands


Command	Description
auths(1)	Displays authorizations for a user.
makedbm(1M)	Makes a `dbm` file.
nscd(1M)	Name service cache daemon, useful for caching the `user_attr`, `prof_attr`, and `exec_attr` databases.
pam_roles(5)	Role account management module for PAM. Checks for the authorization to assume role.
pfexec(1)	Used by profile shells to execute commands with attributes that are specified in the `exec_attr` database.
policy.conf(4)	Configuration file for security policy. Lists granted authorizations.
profiles(1)	Displays rights profiles for a specified user.
roles(1)	Displays roles that are granted to a user.
roleadd(1M)	Adds a role to the system.
roledel(1M)	Deletes a role from the system.
rolemod(1M)	Modifies a role's properties on the system.
smattrpop(1M)	Merges the source security attribute database into the target database. For use in situations where local databases need to be merged into a name service and in upgrades where conversion scripts are not supplied.
smexec(1M)	Manages entries in the `exec_attr` database. Requires authentication.
smmultiuser(1M)	Manages bulk operations on user accounts. Requires authentication.
smuser(1M)	Manages user entries. Requires authentication.
smprofile(1M)	Manages rights profiles in the `prof_attr` and `exec_attr` databases. Requires authentication.
smrole(1M)	Manages roles and users in role accounts. Requires authentication.
useradd(1M)	Adds a user account to the system. The `-P` option assigns a role to a user's account.
userdel(1M)	Deletes a user's login from the system.
usermod(1M)	Modifies a user's account properties on the system.

Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options in the Solaris environment. See also Authorizations.

Table 7–8 Commands and Associated Authorizations


Commands	Authorization Requirements
at(1)	`solaris.jobs.user` required for all options (when neither `at.allow` nor `at.deny` files exist)
atq(1)	`solaris.jobs.admin` required for all options
crontab(1)	`solaris.jobs.user` required for the option to submit a job (when neither `crontab.allow` nor `crontab.deny` files exist) `solaris.jobs.admin` required for the options to list or modify other users' `crontab` files
allocate(1) (with BSM enabled only)	`solaris.device.allocate` (or other authorization as specified in device_allocate(4)) required to allocate a device. `solaris.device.revoke` (or other authorization as specified in `device_allocate` file) required to allocate a device to another user (`-F` option)
deallocate(1) (with BSM enabled only)	`solaris.device.allocate` (or other authorization as specified in device_allocate(4)) required to deallocate another user's device. `solaris.device.revoke` (or other authorization as specified in `device_allocate`) required to force deallocation of the specified device (`-F` option) or all devices (`-I` option)
list_devices(1) (with BSM enabled only)	`solaris.device.revoke` required to list another user's devices (`-U` option)