JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 1/13 Information Library
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

Contents of Rights Profiles

Primary Administrator Rights Profile

System Administrator Rights Profile

Operator Rights Profile

Printer Management Rights Profile

Basic Solaris User Rights Profile

All Rights Profile

Order of Rights Profiles

Viewing the Contents of Rights Profiles

Authorization Naming and Delegation

Authorization Naming Conventions

Example of Authorization Granularity

Delegation Authority in Authorizations

Databases That Support RBAC

RBAC Database Relationships

RBAC Databases and the Naming Services

user_attr Database

auth_attr Database

prof_attr Database

exec_attr Database

policy.conf File

RBAC Commands

Commands That Manage RBAC

Commands That Require Authorizations

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Secure Shell (Tasks)

20.  Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)



RBAC Commands

This section lists commands that are used to administer RBAC. Also provided is a table of commands whose access can be controlled by authorizations.

Commands That Manage RBAC

While you can edit the local RBAC databases manually, such editing is strongly discouraged. The following commands are available for managing access to tasks with RBAC.

Table 10-7 RBAC Administration Commands

Man Page for Command
Displays authorizations for a user.
Makes a dbm file.
Name service cache daemon, useful for caching the user_attr, prof_attr, and exec_attr databases. Use the svcadm command to restart the daemon.
Role account management module for PAM. Checks for the authorization to assume role.
Used by profile shells to execute commands with security attributes that are specified in the exec_attr database.
Configuration file for system security policy. Lists granted authorizations, granted privileges, and other security information.
Displays rights profiles for a specified user.
Displays roles that a specified user can assume.
Adds a role to a local system.
Deletes a role from a local system.
Modifies a role's properties on a local system.
Merges the source security attribute database into the target database. For use in situations where local databases need to be merged into a naming service. Also for use in upgrades where conversion scripts are not supplied.
Manages entries in the exec_attr database. Requires authentication.
Manages bulk operations on user accounts. Requires authentication.
Manages rights profiles in the prof_attr and exec_attr databases. Requires authentication.
Manages roles and users in role accounts. Requires authentication.
Manages user entries. Requires authentication.
Adds a user account to the system. The -R option assigns a role to a user's account.
Deletes a user's login from the system.
Modifies a user's account properties on the system.

Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on an Oracle Solaris system. For more discussion of authorizations, see Authorization Naming and Delegation.

Table 10-8 Commands and Associated Authorizations

Man Page for Command
Authorization Requirements required for all options (when neither at.allow nor at.deny files exist) required for all options
solaris.device.cdrw required for all options, and is granted by default in the policy.conf file required for the option to submit a job (when neither crontab.allow nor crontab.deny files exist) required for the options to list or modify other users' crontab files

solaris.device.allocate (or other authorization as specified in device_allocate file) required to allocate a device

solaris.device.revoke (or other authorization as specified in device_allocate file) required to allocate a device to another user (-F option)

solaris.device.allocate (or other authorization as specified in device_allocate file) required to deallocate another user's device

solaris.device.revoke (or other authorization as specified in device_allocate) required to force deallocation of the specified device (-F option) or all devices (-I option)

solaris.device.revoke required to list another user's devices (-U option)
solaris.mail required to access mail subsystem functions; solaris.mail.mailq required to view mail queue