Go to main content

Using Unified Archives for System Recovery and Cloning in Oracle® Solaris 11.4

Exit Print View

Updated: September 2020
 
 

Using Rights Profiles with Unified Archives

Oracle Solaris implements role-based access control (RBAC) to control system access. To create and deploy Unified Archives, you must be assigned at a minimum the Unified Archive Administration profile.

Other profiles are required if you perform additional tasks beyond working with unified archives. For example, to install Oracle Solaris from a unified archive, you would also need the following profiles:

  • Install Manifest Management for creating and managing install manifests.

  • Install Profile Management for creating and managing install service profiles.

  • Install Client Management for creating and managing install services.

An administrator that has the solaris.delegate.* authorization can assign the required profiles to users.

For example, a system administrator assigns the Unified Archive Administration profile to user jdoe. Before jdoe executes a privileged command related to unified archives, jdoe must be in a profile shell. The shell can be created by issuing the pfbash command. Or, jdoe can combine pfexec with every privileged command that is issued, for example, pfexec archiveadm.

As an alternative, instead assigning profiles directly to individual users, a system administrator can create a role that contains a combination of required profiles to perform a range of tasks.

Suppose that a role uadeploy is created with the Unified Archive Administration profile as well as the profiles required for installation. As an authorized user, jdoe uses the su command to assume that role. All roles automatically get pfbash as the default shell.

For more information about rights profiles, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.