Oracle Solaris implements role-based access control (RBAC) to control system access. To manage boot environments, you must be assigned at a minimum the Software Installation profile. Other profiles are required if you need to perform additional tasks indirectly related to your current one, such as creating and configuring zones.
An administrator that has the solaris.delegate.* authorization can assign the required profiles to users.
For example, an administrator assigns the Software Installation profile to user jdoe. Before jdoe executes a privileged command, jdoe must be in a profile shell. The shell can be created by issuing the pfbash command. Or, jdoe can combine pfexec with every privileged command that is issued, for example, pfexec beadm.
As an alternative, instead assigning profiles directly to users, a system administrator can create a role that would contain a combination of required profiles to perform a range of tasks.
Suppose that a role beadmin is created with the profiles for software installation, unified archive administration, and zone configuration. As an authorized user, jdoe uses the su command to assume that role. All roles automatically get pfbash as the default shell.
For more information about rights profiles, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.