You can qualify user attributes by location. A new qualifier option for the usermod(1M) and rolemod(1M) commands can indicate the host or netgroup where user attributes apply. By default, a local entry matching the named user or role has the highest precedence. If no local entry exists, an LDAP query is initiated which returns the entry whose hostname matches the current host, or the first entry matching one of the user's net groups. Otherwise, the unqualified user attributes are used.
A new time-based policy for access to PAM services can be specified by using the new access_times keyword of the useradd(1M) command. You can use this keyword to specify the days and times when each user can authenticate to specific PAM services. For example, use of SSH can be restricted to weekday mornings.