This set of examples illustrates how to centrally manage the assignment of security attributes to users and roles. These commands work only in the LDAP naming service, not in the files naming service.
Example 33 Qualifying Where and When LDAP Users and Roles Can Use Their RightsThe following example enables the user jdoe to administer the systems labsys1 and labsys2. jdoe is an LDAP account.
# usermod -q labsys1 -K profiles="System Administrator" jdoe # usermod -q labsys2 -K profiles="System Administrator" jdoe
The following example limits administrative access to the role admin on system1 to weekdays from 5am to 3pm. admin is an LDAP account. The system's local time zone is used.
# rolemod -q system1 -k access_times="(*}:Wk0500-1500" \ -K profiles="System Administrator" adminExample 34 Qualifying the Systems Where Users and Roles Have Administrative Rights
This set of examples illustrates how to qualify the assignment of security attributes by hostname or by group of hosts called netgroups. See the netgroup(5) man page.
The following example enables the user jdoe to administer a set of systems defined as the lab1 netgroup. jdoe and the lab1 netgroup are managed in the LDAP directory.
# usermod -q @lab1 -K profiles="System Administrator" jdoe
The following example limits the user jdoe to administering the lab1 netgroup to weekdays from 5am to 3pm.
# usermod -q @lab1 -k access_times="(*}:Wk0500-1500" -K profiles="System Administrator" jdoe