Typically, users or roles obtain administrative rights through a rights profile, but direct assignment of rights is also possible.
Privileges can be assigned directly to users and roles.
Direct assignment of privileges is not a secure practice. Users and roles with a directly assigned privilege can override security policy wherever this privilege is required by the kernel. Also, malicious processes that compromise a user or role's process can use this privilege wherever it is required by the kernel.
A more secure practice is to assign the privilege as a security attribute of a command in a rights profile. Then, that privilege is available only for that command by someone who has that rights profile.
Authorizations can be assigned directly to users and roles.
Because authorizations are evaluated at the user level, direct assignment of authorizations can be less dangerous than direct assignment of privileges. However, authorizations can enable a user to perform highly secure tasks, such as assigning audit flags. For greater security, assign authorizations in an authenticated rights profile where the user must supply a password before the command can execute.