JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 11 Express 11/10
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

Order of Search for Assigned Security Attributes

Contents of Rights Profiles

System Administrator Rights Profile

Operator Rights Profile

Printer Management Rights Profile

Basic Solaris User Rights Profile

Console User Rights Profile

All Rights Profile

Stop Rights Profile

Order of Rights Profiles

Viewing the Contents of Rights Profiles

Authorization Naming and Delegation

Authorization Naming Conventions

Example of Authorization Granularity

Delegation Authority in Authorizations

Databases That Support RBAC

RBAC Database Relationships

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Commands That Require Authorizations

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Oracle Solaris Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

RBAC Commands

This section lists commands that are used to administer RBAC. Also provided is a table of commands whose access can be controlled by authorizations.

Commands That Manage RBAC

While you can edit the local RBAC databases manually, such editing is strongly discouraged. The following commands are available for managing access to tasks with RBAC.

Table 10-7 RBAC Administration Commands

Man Page for Command
Description
auths(1)
Displays authorizations for a user.
nscd(1M)
Name service cache daemon, useful for caching the user_attr, prof_attr, and exec_attr databases. Use the svcadm command to restart the daemon.
pam_roles(5)
Role account management module for PAM. Checks for the authorization to assume role.
pfexec(1)
Used by profile shells to execute commands with security attributes that are specified in the exec_attr database.
policy.conf(4)
Configuration file for system security policy. Lists granted authorizations, granted privileges, and other security information.
profiles(1)
Displays rights profiles for a specified user.
roles(1)
Displays roles that a specified user can assume.
roleadd(1M)
Adds a role to a local system or to an LDAP network.
roledel(1M)
Deletes a role from a local system or from an LDAP network.
rolemod(1M)
Modifies a role's properties on a local system or on an LDAP network.
userattr(1)
Displays the value of a specific right that is assigned to a user or role account.
useradd(1M)
Adds a user account to the system or to an LDAP network. The -R option assigns a role to a user's account.
userdel(1M)
Deletes a user's login from the system or from an LDAP network.
usermod(1M)
Modifies a user's account properties on the system.

Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on an Oracle Solaris system. For more discussion of authorizations, see Authorization Naming and Delegation.

Table 10-8 Commands and Associated Authorizations

Man Page for Command
Authorization Requirements
at(1)
solaris.jobs.user required for all options (when neither at.allow nor at.deny files exist)
atq(1)
solaris.jobs.admin required for all options
cdrw(1)
solaris.device.cdrw required for all options, and is granted by default in the policy.conf file
crontab(1)
solaris.jobs.user required for the option to submit a job (when neither crontab.allow nor crontab.deny files exist)

solaris.jobs.admin required for the options to list or modify other users' crontab files
allocate(1)
solaris.device.allocate (or other authorization as specified in device_allocate file) required to allocate a device

solaris.device.revoke (or other authorization as specified in device_allocate file) required to allocate a device to another user (-F option)
deallocate(1)
solaris.device.allocate (or other authorization as specified in device_allocate file) required to deallocate another user's device

solaris.device.revoke (or other authorization as specified in device_allocate) required to force deallocation of the specified device (-F option) or all devices (-I option)
list_devices(1)
solaris.device.revoke required to list another user's devices (-U option)
roleadd(1M)
solaris.user.manage required to create a role. solaris.account.activate required to set the initial password. solaris.account.setpolicy required to set password policy, such as account locking and password aging.
roledel(1M)
solaris.passwd.assign authorization required to delete the password.
rolemod(1M)
solaris.passwd.assign authorization required to change the password. solaris.account.setpolicy required to change password policy, such as account locking and password aging.
useradd(1M)
solaris.user.manage required to create a user. solaris.account.activate required to set the initial password. solaris.account.setpolicy required to set password policy, such as account locking and password aging.
userdel(1M)
solaris.passwd.assign authorization required to delete the password.
usermod(1M)
solaris.passwd.assign authorization required to change the password. solaris.account.setpolicy required to change password policy, such as account locking and password aging.
sendmail(1M)
solaris.mail required to access mail subsystem functions; solaris.mail.mailq required to view mail queue
Copyright © 2002, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next