Delegating the Management of Logical Domains by Using RBAC

The Logical Domains Manager package adds two predefined role-based access control (RBAC) rights profiles to the local RBAC configuration. By using these rights profiles, you can delegate the following administrative privileges to unprivileged users:

The LDoms Management profile permits a user to use all ldm subcommands.
The LDoms Review profile permits a user to use all list-related ldm subcommands.

These rights profiles can be assigned directly to users or to a role that is then assigned to users. When one of these profiles is assigned directly to a user, you must use the pfexec command or a profile shell, such as pfbash or pfksh, to successfully use the ldm command to manage your domains. Determine whether to use roles or rights profiles based on your RBAC configuration. See System Administration Guide: Security Services or Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris Administration: Security Services.

Users, authorizations, rights profiles, and roles can be configured in the following ways:

Locally on the system by using files
Centrally in a naming service, such as LDAP

Installing the Logical Domains Manager adds the necessary rights profiles to the local files. To configure profiles and roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). All of the examples in this chapter assume that the RBAC configuration uses local files. For an overview of the authorizations and execution attributes delivered by the Logical Domains Manager package, see Logical Domains Manager Profile Contents.

Using Rights Profiles and Roles

Caution - Be careful when using the usermod and rolemod commands to add authorizations, rights profiles, or roles.

For the Oracle Solaris 10 OS, the usermod or rolemod command replaces any existing values.

To add values instead of replacing them, specify a comma-separated list of existing values and the new values.
For the Oracle Solaris 11 OS, add values by using the plus sign (+) for each authorization you add.

For example, the usermod -A +auth username command grants the auth authorization to the username user, similarly for the rolemod command.

Managing User Rights Profiles

The following procedures show how to manage user rights profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

How to Assign a Rights Profile to a User

Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services or Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris Administration: Security Services.

Become an administrator, superuser, or assume an equivalent role.
For Oracle Solaris 10, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. For Oracle Solaris 11, see Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris Administration: Security Services.
Assign an administrative profile to a local user account.
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
```
# usermod -P "profile-name" username
```
The following command assigns the LDoms Management profile to user sam:
```
# usermod -P "LDoms Management" sam
```

Assigning Roles to Users

The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role, yet has the password, from assuming that role.

How to Create a Role and Assign the Role to a User

Become an administrator, superuser, or assume an equivalent role.
For Oracle Solaris 10, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. For Oracle Solaris 11, see Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris Administration: Security Services.
Create a role.
```
# roleadd -P "profile-name" role-name
```
Assign a password to the role.
You will be prompted to specify and then verify a new password.
```
# passwd role-name
```
Assign the role to a user.
```
# useradd -R role-name username
```
Assign a password to the user.
You will be prompted to specify and then verify a new password.
```
# passwd username
```
Become the user and provide the password, if necessary.
```
# su username
```

Verify that the user has access to the assigned role.

$ id
uid=nn(username) gid=nn(group-name)
$ roles
role-name

Assume the role and provide the password, if necessary.
```
$ su role-name
```

Verify that the user has assumed the role.

$ id
uid=nn(role-name) gid=nn(group-name)

Example 3-1 Creating a Role and Assigning the Role to a User

This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.

# roleadd -P "LDoms Review" ldm_read
# passwd ldm_read
New Password: ldm_read-password
Re-enter new Password: ldm_read-password
passwd: password successfully changed for ldm_read
# useradd -R ldm_read user_1
# passwd user_1
New Password: user_1-password
Re-enter new Password: user_1-password
passwd: password successfully changed for user_1
# su user_1
Password: user_1-password
$ id
uid=95555(user_1) gid=10(staff)
$ roles
ldm_read
$ su ldm_read
Password: ldm_read-password
$ id
uid=99667(ldm_read) gid=14(sysadmin)

Logical Domains Manager Profile Contents

The Logical Domains Manager package adds the following RBAC profiles to the local /etc/security/prof_attr file:

LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*

The Logical Domains Manager package also adds the following execution attribute that is associated with the LDoms Management profile to the local /etc/security/exec_attr file:

LDoms Management:suser:cmd:::/usr/sbin/ldm:privs=file_dac_read,file_dac_search

The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.

Table 3-1 The ldm Subcommands and User Authorizations

ldm Subcommand¹	User Authorization
`add-*`	`solaris.ldoms.write`
`bind-domain`	`solaris.ldoms.write`
`list`	`solaris.ldoms.read`
`list-*`	`solaris.ldoms.read`
`panic-domain`	`solaris.ldoms.write`
`remove-*`	`solaris.ldoms.write`
`set-*`	`solaris.ldoms.write`
`start-domain`	`solaris.ldoms.write`
`stop-domain`	`solaris.ldoms.write`
`unbind-domain`	`solaris.ldoms.write`

¹ Refers to all the resources you can add, list, remove, or set.

Skip Navigation Links
Exit Print View
	Oracle VM Server for SPARC 2.2 Administration Guide Oracle VM Server for SPARC