JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 8/11 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

Contents of Rights Profiles

Primary Administrator Rights Profile

System Administrator Rights Profile

Operator Rights Profile

Printer Management Rights Profile

Basic Solaris User Rights Profile

All Rights Profile

Order of Rights Profiles

Viewing the Contents of Rights Profiles

Authorization Naming and Delegation

Authorization Naming Conventions

Example of Authorization Granularity

Delegation Authority in Authorizations

Databases That Support RBAC

RBAC Database Relationships

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Commands That Require Authorizations

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Oracle Solaris Secure Shell (Tasks)

20.  Oracle Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

RBAC Commands

This section lists commands that are used to administer RBAC. Also provided is a table of commands whose access can be controlled by authorizations.

Commands That Manage RBAC

While you can edit the local RBAC databases manually, such editing is strongly discouraged. The following commands are available for managing access to tasks with RBAC.

Table 10-7 RBAC Administration Commands

Man Page for Command
Description
auths(1)
Displays authorizations for a user.
makedbm(1M)
Makes a dbm file.
nscd(1M)
Name service cache daemon, useful for caching the user_attr, prof_attr, and exec_attr databases. Use the svcadm command to restart the daemon.
pam_roles(5)
Role account management module for PAM. Checks for the authorization to assume role.
pfexec(1)
Used by profile shells to execute commands with security attributes that are specified in the exec_attr database.
policy.conf(4)
Configuration file for system security policy. Lists granted authorizations, granted privileges, and other security information.
profiles(1)
Displays rights profiles for a specified user.
roles(1)
Displays roles that a specified user can assume.
roleadd(1M)
Adds a role to a local system.
roledel(1M)
Deletes a role from a local system.
rolemod(1M)
Modifies a role's properties on a local system.
smattrpop(1M)
Merges the source security attribute database into the target database. For use in situations where local databases need to be merged into a naming service. Also for use in upgrades where conversion scripts are not supplied.
smexec(1M)
Manages entries in the exec_attr database. Requires authentication.
smmultiuser(1M)
Manages bulk operations on user accounts. Requires authentication.
smprofile(1M)
Manages rights profiles in the prof_attr and exec_attr databases. Requires authentication.
smrole(1M)
Manages roles and users in role accounts. Requires authentication.
smuser(1M)
Manages user entries. Requires authentication.
useradd(1M)
Adds a user account to the system. The -R option assigns a role to a user's account.
userdel(1M)
Deletes a user's login from the system.
usermod(1M)
Modifies a user's account properties on the system.

Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on an Oracle Solaris system. For more discussion of authorizations, see Authorization Naming and Delegation.

Table 10-8 Commands and Associated Authorizations

Man Page for Command
Authorization Requirements
at(1)
solaris.jobs.user required for all options (when neither at.allow nor at.deny files exist)
atq(1)
solaris.jobs.admin required for all options
cdrw(1)
solaris.device.cdrw required for all options, and is granted by default in the policy.conf file
crontab(1)
solaris.jobs.user required for the option to submit a job (when neither crontab.allow nor crontab.deny files exist)

solaris.jobs.admin required for the options to list or modify other users' crontab files
allocate(1)
solaris.device.allocate (or other authorization as specified in device_allocate file) required to allocate a device

solaris.device.revoke (or other authorization as specified in device_allocate file) required to allocate a device to another user (-F option)
deallocate(1)
solaris.device.allocate (or other authorization as specified in device_allocate file) required to deallocate another user's device

solaris.device.revoke (or other authorization as specified in device_allocate) required to force deallocation of the specified device (-F option) or all devices (-I option)
list_devices(1)
solaris.device.revoke required to list another user's devices (-U option)
sendmail(1M)
solaris.mail required to access mail subsystem functions; solaris.mail.mailq required to view mail queue
Copyright © 2002, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next