JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Rights Profiles

Viewing the Contents of Rights Profiles

Order of Search for Assigned Security Attributes

Authorizations

Authorization Naming Conventions

Delegation Authority in Authorizations

RBAC Databases

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Selected Commands That Require Authorizations

Privileges

Administrative Commands for Handling Privileges

Files With Privilege Information

Privileges and Auditing

Prevention of Privilege Escalation

Legacy Applications and the Privilege Model

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

RBAC Commands

This section lists commands that are used to administer RBAC. Also provided is a table of commands whose access can be controlled by authorizations.

Commands That Manage RBAC

The following commands retrieve and set RBAC information.

Table 10-1 RBAC Administration Commands

Man Page for Command
Description
Displays authorizations for a user.
Interface to list the contents of the user_attr, prof_attr, and exec_attr databases.
Name service cache daemon, useful for caching the user_attr, prof_attr, and exec_attr databases. Use the svcadm command to restart the daemon.
Role account management module for PAM. Checks for the authorization to assume role.
Used to edit system files by non-root users when they are assigned the solaris.admin.edit/path-to-system-file authorization.
Used by profile shells to execute commands with security attributes that are specified in the exec_attr database.
Configuration file for system security policy. Lists granted authorizations, granted privileges, and other security information.
Displays rights profiles for a specified user. Creates or modifies a rights profile on a local system or an LDAP network.
Displays roles that a specified user can assume.
Adds a role to a local system or to an LDAP network.
Adds a role to a local system or to an LDAP network.
Modifies a role's properties on a local system or on an LDAP network.
Displays the value of a specific right that is assigned to a user or role account.
Adds a user account to the system or to an LDAP network. The -R option assigns a role to a user's account.
Deletes a user's login from the system or from an LDAP network.
Modifies a user's account properties on the system.

Selected Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on an Oracle Solaris system. For more discussion of authorizations, see Authorizations.

Table 10-2 Commands and Associated Authorizations

Man Page for Command
Authorization Requirements
solaris.jobs.user required for all options (when neither at.allow nor at.deny files exist)
solaris.jobs.admin required for all options
solaris.device.cdrw required for all options, and is granted by default in the policy.conf file
solaris.jobs.user required for the option to submit a job (when neither crontab.allow nor crontab.deny files exist)

solaris.jobs.admin required for the options to list or modify other users' crontab files

solaris.device.allocate (or other authorization as specified in device_allocate file) required to allocate a device

solaris.device.revoke (or other authorization as specified in device_allocate file) required to allocate a device to another user (-F option)

solaris.device.allocate (or other authorization as specified in device_allocate file) required to deallocate another user's device

solaris.device.revoke (or other authorization as specified in device_allocate) required to force deallocation of the specified device (-F option) or all devices (-I option)

solaris.device.revoke required to list another user's devices (-U option)
solaris.user.manage required to create a role. solaris.account.activate required to set the initial password. solaris.account.setpolicy required to set password policy, such as account locking and password aging.
solaris.passwd.assign authorization required to delete the password.
solaris.passwd.assign authorization required to change the password. solaris.account.setpolicy required to change password policy, such as account locking and password aging.
solaris.mail required to access mail subsystem functions; solaris.mail.mailq required to view mail queue
solaris.user.manage required to create a user. solaris.account.activate required to set the initial password. solaris.account.setpolicy required to set password policy, such as account locking and password aging.
solaris.passwd.assign authorization required to delete the password.
solaris.passwd.assign authorization required to change the password. solaris.account.setpolicy required to change password policy, such as account locking and password aging.