Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Authorizations Reference

An authorization is a discrete right that can be granted to a role or a user. Authorizations are checked by compliant applications before a user gets access to the application or specific operations within the application.

Authorizations are user-level, and therefore extensible. You can write a program that requires authorization, add the authorizations to your system, create a rights profile for these authorizations, and assign the rights profile to users or roles who are allowed to use the program.

Authorization Naming Conventions

An authorization has a name that is used internally. For example, solaris.system.date is the name of an authorization. An authorization has a short description that appears in the graphical user interfaces (GUIs). For example, Set Date & Time is the description of the solaris.system.date authorization.

By convention, authorization names consist of the reverse order of the Internet name of the supplier, the subject area, any subareas, and the function. The parts of the authorization name are separated by dots. An example would be com.xyzcorp.device.access. Exceptions to this convention are the authorizations from Oracle, which use the prefix solaris instead of an Internet name. The naming convention enables administrators to apply authorizations in a hierarchical fashion. A wildcard (*) can represent any strings to the right of a dot.

As an example of how authorizations are used, the Network Link Security rights profile has the solaris.network.link.security authorization only, while the Network Security rights profile has the Network Link Security profile as a supplementary profile, plus the solaris.network.* and solaris.smf.manage.ssh authorizations.

Delegation Authority in Authorizations

An authorization that ends with the suffix delegate enables a user or a role to delegate to other users any assigned authorizations that begin with the same prefix.

The solaris auth.delegate authorization enables a user or a role to delegate to other users any authorizations that the delegating users or roles are assigned. For example, a role with the solaris auth.delegate and solaris.network.wifi.wep authorizations can delegate the solaris.network.wifi.wep authorization to another user or role.