JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


1.  Transitioning From Oracle Solaris 10 to an Oracle Solaris 11 Release (Overview)

2.  Transitioning to an Oracle Solaris 11 Installation Method

3.  Managing Devices

4.  Managing Storage Features

5.  Managing File Systems

6.  Managing Software and Boot Environments

7.  Managing Network Configuration

8.  Managing System Configuration

9.  Managing Security

Security Feature Changes

Network Security Features

Pluggable Authentication Module Changes

Removed Security Features

Roles, Rights, Privileges, and Authorizations

About Rights Profiles

Viewing Privileges and Authorizations

File and File System Security Changes

aclmode Property Is Reintroduced

Encrypting ZFS File Systems

Immutable Zones

10.  Managing Oracle Solaris Releases in a Virtual Environment

11.  Managing User Accounts and User Environments

12.  Managing Desktop Features

A.  SPARC Automated Installation Scenario

Roles, Rights, Privileges, and Authorizations

The following information describes how roles, rights, privileges, and authorizations work in Oracle Solaris 11:

About Rights Profiles

Rights profiles are collections of authorizations and other security attributes, commands with security attributes, and supplementary rights profiles. Oracle Solaris provides many rights profiles. You can modify existing rights profiles, as well as create new ones. Note that rights profiles must be assigned in order, from most to least powerful.

The following are some of the rights profiles that are available:

Other rights profiles that are available in this release include the All rights profile and the Stop rights profile. For more information, see Chapter 10, Security Attributes in Oracle Solaris (Reference), in Oracle Solaris 11.1 Administration: Security Services.

Example 9-1 Displaying Information About the System Administrator Rights Profile

Use the profiles command to display information about a specific rights profile. In the following example, information about the System Administrator rights profile is displayed:

$ profiles -p "System Administrator" info
name=System Administrator
        desc=Can perform most non-security administrative tasks
        profiles=Install Service Management,Audit Review,Extended Accounting Flow
Management,Extended Accounting Net Management,Extended Accounting Process Management, 
Extended Accounting Task Management,Printer Management,Cron Management,Device Management,
File System Management,Log Management,Mail Management,Maintenance and Repair,
Media Backup,Media Catalog,Media Restore,Name Service Management,Network Management
Object Access Management,Process Management,Project Management,RAD Management,
Service Operator,Shadow Migration Monitor,Software Installation,System
Configuration,User Management,ZFS Storage Management

Viewing Privileges and Authorizations

When a user is directly assigned privileges, in effect, the privileges are in every shell. When a user is not directly assigned privileges, then the user must open a profile shell. For example, when commands with assigned privileges are in a rights profile that is in the user's list of rights profiles, then the user must execute the command in a profile shell.

To view privileges online, see privileges(5). The privilege format that is displayed is used by developers.

$ man privileges
Standards, Environments, and Macros                 privileges(5)

     privileges - process privilege model
     The defined privileges are:


         Allow a process to request reliable delivery  of  events
         to an event endpoint.

         Allow a process to include events in the critical  event
         set  term  of  a  template  which  could be generated in
         volume by the user.

Example 9-2 Viewing Directly-Assigned Privileges

If you have been directly assigned privileges, then your basic set contains more than the default basic set. In the following example, the user always has access to the proc_clock_highres privilege.

$ /usr/bin/whoami
$ ppriv -v $$
1800:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session
        I: file_link_any,…,proc_clock_highres,proc_session
        P: file_link_any,…,proc_clock_highres,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
$ ppriv -vl proc_clock_highres
        Allows a process to use high resolution timers.

To view authorizations, use the auths command:

$ auths list

The output of this command produces a more readable summary (one per line) of the authorizations that are assigned to a user. Starting with Oracle Solaris 11.1, several new options have been added to the auths command. For example, the check option is useful for scripting. Other new options provide the ability to add, modify, and remove authorizations to and from files or LDAP. See auths(1).