Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Rights Profiles Reference

This section describes some typical rights profiles. Rights profiles are convenient collections of authorizations and other security attributes, commands with security attributes, and supplementary rights profiles. Oracle Solaris provides many rights profiles. If they are not sufficient for your needs, you can modify existing ones and create new ones.

Rights profiles must be assigned in order, from most to least powerful. For more information, see Order of Search for Assigned Rights.

    To view the contents of the following rights profiles, see Viewing the Contents of Rights Profiles.

  • System Administrator rights profile – Provides access to most tasks that are not connected with security. This profile includes several other profiles to create a powerful role. Note that the All rights profile is assigned at the end of the list of supplementary rights profiles.

  • Operator rights profile – Provides limited rights to manage files and offline media. This profile includes supplementary rights profiles to create a simple role.

  • Printer Management rights profile – Provides a limited number of commands and authorizations to handle printing. This profile is one of several profiles that cover a single area of administration.

  • Basic Solaris User rights profile – Enables users to use the system within the bounds of security policy. This profile is the default users' rights profile. Note that the convenience that the Basic Solaris User rights profile provides must be balanced against site security requirements. Sites that need stricter security might prefer to remove this profile or assign the Stop rights profile. For the implementation of the Basic Solaris User rights profile, see Example 73, Listing the Commands With Security Attributes in Your Rights Profiles.

  • Console User rights profile – For the workstation owner, provides access to authorizations, commands, and actions for the person who is seated at the computer.

  • All rights profile – For roles, provides access to commands that do not have security attributes. This profile can be appropriate for users with limited rights.

  • Stop rights profile – A special rights profile that stops the evaluation of later profiles. This profile also prevents the evaluation of the AUTHS_GRANTED, PROFS_GRANTED, and CONSOLE_USER security attributes. With the Stop profile, you can provide roles and users with a restricted profile shell.


    Note -  The Stop profile affects privilege assignment indirectly. Rights profiles that are listed after the Stop profile are not evaluated. Therefore, the commands with privileges in those profiles are not in effect. See Example 31, Restricting an Administrator to Explicitly Assigned Rights.

Viewing the Contents of Rights Profiles

    You have three views into the contents of rights profiles:

  • The getent command enables you to view the contents of all of the rights profiles on the system. For sample output, see Listing Rights in Oracle Solaris.

  • The profiles -p "Profile Name" info command enables you to view the contents of a specific rights profile.

  • The profiles -l account-name command enables you to view the contents of the rights profiles that are assigned to a specific user or role.

For more information, see Listing Rights in Oracle Solaris and the getent(8) and profiles(1) man pages.