Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Qualifying Accounts to Assume Rights on Specific Systems

This set of examples illustrates how to centrally manage the assignment of security attributes to users and roles. These commands work only in the LDAP naming service, not in the files naming service.

Example 33  Qualifying Where and When LDAP Users and Roles Can Use Their Rights

The following example enables the user jdoe to administer the systems labsys1 and labsys2. jdoe is an LDAP account.

# usermod -q labsys1 -K profiles="System Administrator" jdoe
# usermod -q labsys2 -K profiles="System Administrator" jdoe

The following example limits administrative access to the role admin on system1 to weekdays from 5am to 3pm. admin is an LDAP account. The system's local time zone is used.

# rolemod -q system1 -k access_times="(*}:Wk0500-1500" \
  -K profiles="System Administrator" admin
Example 34  Qualifying the Systems Where Users and Roles Have Administrative Rights

This set of examples illustrates how to qualify the assignment of security attributes by hostname or by group of hosts called netgroups. See the netgroup(5) man page.

The following example enables the user jdoe to administer a set of systems defined as the lab1 netgroup. jdoe and the lab1 netgroup are managed in the LDAP directory.

# usermod -q @lab1 -K profiles="System Administrator" jdoe

The following example limits the user jdoe to administering the lab1 netgroup to weekdays from 5am to 3pm.

# usermod -q @lab1 -k access_times="(*}:Wk0500-1500" -K profiles="System Administrator" jdoe