User and process rights management can be an integral part of managing your systems deployment. Planning requires a thorough knowledge of the security requirements of your organization as well as an understanding of rights in Oracle Solaris. This section describes the general process for planning your site's use of rights.
Learn the basic concepts about rights.
Read About Using Rights to Control Users and Processes. Using rights to administer a system is very different from using conventional UNIX administrative practices.
Examine your security policy.
Your organization's security policy details the potential threats to your system, measures the risk of each threat, and provides strategies to counter these threats. Isolating the security-relevant tasks through rights can be a part of the strategy.
For example, your site might require that you separate security administration from non-security administration. To implement separation of duty, see Example 5, Creating Roles for Separation of Duty. See also Appendix A, Site Security Policy and Enforcement, in Oracle Solaris 11.4 Security and Hardening Guidelines.
Your site might require that users and roles annotate their logins. These annotations appear in the audit trail. For more information, see New Feature – Annotating Reason for Access in the Audit Record in Managing Auditing in Oracle Solaris 11.4.
If your security policy relies on Authorization Rules Managed On RBAC (ARMOR), you must install and use the ARMOR package. For its use in Oracle Solaris, see Example 2, Using ARMOR Roles.
Review the default rights profiles.
The default rights profiles collect the rights that are required to complete a task. To review available rights profiles, see Listing Rights Profiles
Decide whether you are going to use roles or assign rights profiles to users directly.
Roles can ease the administration of rights. The role name identifies the tasks that the role can perform and isolates role rights from user rights. If you are going to use roles, you have three options:
You can install the ARMOR package, which installs the seven roles that the Authorization Roles Managed on RBAC (ARMOR) standard defines. See Example 2, Using ARMOR Roles.
You can define your own roles and not use ARMOR roles. See Creating a Role.
If roles are not required at your site, you can directly assign rights profiles to users. To require a password when users perform an administrative task from their rights profiles, use authenticated rights profiles. See Example 13, Requiring a User to Type Password Before Administering DHCP.
Decide whether you need to create additional rights profiles.
Look for other applications or families of applications at your site that might benefit from restricted access. Applications that affect security, that can cause denial-of-service problems, or that require special administrator training are good candidates for using rights. For example, users of Sun Ray systems do not require all basic privileges. For an example of a rights profile that limits users, see Example 30, Removing Basic Privileges From a Rights Profile.
Determine which rights are needed for the new task.
Decide whether an existing rights profile is appropriate for this task.
Order the rights profile so that commands execute with their required privileges.
For information about ordering, see Order of Search for Assigned Rights.
Decide which users should be assigned which rights.
According to the principle of least privilege, you assign users to roles that are appropriate to the user's level of trust. When you prevent users from performing tasks that the users do not need to perform, you reduce potential problems.
Once you have a plan, create logins for trusted users who can be assigned rights profiles or roles. For details on creating users, see Setting Up and Managing User Accounts (Task Map) in Managing User Accounts and User Environments in Oracle Solaris 11.4.
To assign rights, start with the procedures in Assigning Rights to Users. The sections that follow provide examples of expanding rights, limiting rights, assigning rights to resources, and troubleshooting rights assignments.