Oracle Solaris implements role-based access control (RBAC) to control system access. To perform shutdown or booting operations as well as administering booting features, you must be assigned at a minimum the Maintenance and Repair profile. Other profiles are required if you need to perform additional tasks indirectly related to maintenance and repair, such as creating archives or installing software.
An administrator that has the solaris.delegate.* authorization can assign the required profiles to users.
For example, an administrator assigns the Maintenance and Repair profile to user jdoe. Before jdoe executes a privileged boot administration command, jdoe must be in a profile shell. The shell can be created by issuing the pfbash command. Or, jdoe can combine pfexec with every privileged command that is issued, for example, pfexec bootadm or pfexec shutdown.
As an alternative, instead assigning profiles directly to users, a system administrator can create a role that would contain a combination of required profiles to perform a range of tasks.
Suppose that a role repairua is created with both the Maintenance and Repair profile and the Unified Archive Administration profile. As an authorized user, jdoe uses the su command to assume that role. All roles automatically get pfbash as the default shell.
For more information about rights profiles, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.