Use this task to create a new RBAC role with a Sun Cluster Management Rights Profile and to assign users to this new role.
To create a role, you must either assume a role that has the Primary Administrator rights profile assigned to it or run as root user.
Start the Administrative Roles tool.
To run the Administrative Roles tool, start the Solaris Management Console, as described in How to Assume a Role in the Solaris Management Console in System Administration Guide: Security Services. Open the User Tool Collection and click the Administrative Roles icon.
Start the Add Administrative Role wizard.
Select Add Administrative Role from the Action menu to start the Add Administrative Role wizard for configuring roles.
Set up a role to which the Cluster Management rights profile is assigned.
Use the Next and Back buttons to navigate between dialog boxes. Note that the Next button does not become active until you have filled in all required fields. The last dialog box enables you to review the entered data, at which point you can use the Back button to change entries or click Finish to save the new role. The following list summarizes the dialog box fields and buttons.
Short name of the role.
Long version of the name.
Description of the role.
UID for the role, automatically incremented.
The profile shells that are available to roles: Administrator's C, Administrator's Bourne, or Administrator's Korn shell.
Makes a mailing list for users who are assigned to this role.
Assigns or removes a role's rights profiles.
Note that the system does not prevent you from typing multiple occurrences of the same command. The attributes that are assigned to the first occurrence of a command in a rights profile have precedence and all subsequent occurrences are ignored. Use the Up and Down arrows to change the order.
Server for the home directory.
Home directory path.
Adds users who can assume this role. Must be in the same scope.
Deletes users who are assigned to this role.
You need to place this profile first in the list of profiles that are assigned to the role.
Add users who need to use the Sun Cluster Manager features or Sun Cluster commands to the newly created role.
You use the useradd(1M) command to add a user account to the system. The -P option assigns a role to a user's account.
Click Finish.
Open a terminal window and become root.
Start and stop the name service cache daemon.
The new role does not take effect until the name service cache daemon is restarted. After becoming root, type the following text:
# /etc/init.d/nscd stop # /etc/init.d/nscd start |
Become superuser or assume a role that provides solaris.cluster.admin RBAC authorization.
Select a method for creating a role:
For roles in the local scope, use the roleadd(1M) command to specify a new local role and its attributes.
Alternatively, for roles in the local scope, edit the user_attr(4) file to add a user with type=role.
Use this method only for emergencies.
For roles in a name service, use the smrole(1M) command to specify the new role and its attributes.
This command requires authentication by superuser or a role that is capable of creating other roles. You can apply the smrole to all name services. This command runs as a client of the Solaris Management Console server.
Start and stop the name service cache daemon.
New roles do not take effect until the name service cache daemon is restarted. As root, type the following text:
# /etc/init.d/nscd stop # /etc/init.d/nscd start |
The following sequence demonstrates how a role is created with the smrole command. In this example, a new version of the Operator role is created that has assigned to it the standard Operator rights profile and the Media Restore rights profile.
% su primaryadmin # /usr/sadm/bin/smrole add -H myHost -- -c "Custom Operator" -n oper2 -a johnDoe \ -d /export/home/oper2 -F "Backup/Restore Operator" -p "Operator" -p "Media Restore" Authenticating as user: primaryadmin Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <type primaryadmin password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadmin was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password ::<type oper2 password> # /etc/init.d/nscd stop # /etc/init.d/nscd start |
To view the newly created role (and any other roles), use smrole with the list option, as follows:
# /usr/sadm/bin/smrole list -- Authenticating as user: primaryadmin Type /? for help, pressing <enter> accepts the default denoted by [ ] Please enter a string value for: password :: <type primaryadmin password> Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost Login to myHost as user primaryadmin was successful. Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful. root 0 Super-User primaryadmin 100 Most powerful role sysadmin 101 Performs non-security admin tasks oper2 102 Custom Operator |