Administrators require rights to run privileged commands, and often require authorization to run the commands. Rights profiles supply privileged commands, authorizations, and sometimes supplementary rights profiles in a convenient bundle.
You have several ways to determine which rights profile is best to assign. The names of rights profiles indicate their function, so you can list and search the profile names for functional areas. You can also start with a command name, and determine which rights profiles include that command.
When you know the name of the rights profile that contains the commands you are interested in, and you review the rights in that rights profile, then you can determine whether to assign that particular profile to an administrator. You should not assign individual privileges or authorizations to administrators. For more information, see Considerations When Assigning Rights.
After you assign administrative rights, ask your administrators to review Using Your Assigned Administrative Rights before they run administrative commands.
You can search for which rights to assign by starting with rights profiles or with command names. This procedure shows how to search by rights profile. Example 1, Determining Which Rights a Command Requires shows how to search by command.
$ profiles -a | more ... Administrative Command History Administrator Message Edit Audit Configuration ...
In the following example, you search for rights profiles about administering zones.
$ profiles -a | grep -i zone Zone Security Zone Configuration Zone Management Zone Migration Zone Cold Migration
Continuing with the zones example, you are going to assign rights to secure zones.
$ profiles -p "Zone Security" info name=Zone Security desc=Zones Virtual Application Environment Security auths=solaris.zone.*,solaris.auth.delegate cmd=/usr/sbin/txzonemgr cmd=/usr/sbin/zonecfg cmd=/usr/lib/rad/module/mod_zonemgr.so.1
The output indicates that the assignee will have all authorizations that begin with the string solaris.zone, and the solaris.auth.delegate authorization. The assignee can run the txzonemgr and zonecfg commands, and use the RAD command mod_zonemgr.so.1 module.
For details about the rights that are assigned to the commands, continue with the following step. For descriptions of the solaris.zone authorizations, see Step 5.
$ getent exec_attr | grep "^Zone Security" Zone Security:solaris:cmd:RO::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:RO::/usr/sbin/zonecfg:uid=0 Zone Security:solaris:cmd:RO::/usr/lib/rad/module/mod_zonemgr.so.1:uid=0
The output indicates that the commands will run with a UID of 0, not with the assignee's UID. RO indicates that this rights profile is read-only.
$ getent auth_attr | grep solaris.zone solaris.zone.:RO::Zone Management:: solaris.zone.clonefrom:RO::Clone another Zone:: solaris.zone.login:RO::Zone Login:: solaris.zone.manage:RO::Zone Deployment:: solaris.zone.config:RO::Modify the Persistent Zone Configuration:: solaris.zone.liveconfig:RO::Inspect and Modify the Live Zone Configuration:: solaris.zone.migrate:RO::Zone Migration:: solaris.zone.migrate.cold:RO::Zone Cold Migration:: $ getent auth_attr | grep solaris.auth.delegate solaris.auth.delegate:RO::Assign owned authorizations::
In this example, the administrator wants to assign the pfctl command to a network administrator, but does not know what other rights the assignee might need to handle the Packet Filter (PF) firewall.
The administrator searches the privileged commands database, exec_attr, for the pfctl command.
$ getent exec_attr | grep pfctl Network Firewall Management:solaris:cmd:RO::/usr/sbin/pfctl:privs=sys_ip_config
The output indicates that the pfctl command is part of the Network Firewall Management rights profile and runs with the sys_ip_config privilege.
The administrator reviews the content of the rights profile.
$ profiles -p "Network Firewall Management" info name=Network Firewall Management desc=Firewall Administration auths=solaris.smf.value.network.firewall,solaris.smf.manage.network.firewall cmd=/usr/sbin/pfconf cmd=/usr/sbin/pfctl
The output indicates that the Network Firewall Management profile authorizes the assignee to modify the SMF properties of the firewall, and also contains the pfconf command.
The administrator looks up the pfconf command in the privileged commands database.
$ getent exec_attr | grep pfconf Network Firewall Management:solaris:cmd:RO::/usr/sbin/pfconf:privs=sys_ip_config
The administrator reviews the definitions of the authorizations that are in the chosen profile.
$ getent auth_attr | grep firewall solaris.smf.manage.network.firewall:RO::Manage Network Firewall:: solaris.smf.value.network.firewall:RO::Change Network Firewall Configuration:: solaris.smf.manage.firewall:RO::Manage Firewall Service:: solaris.smf.value.firewall.config:RO::Change Service Firewall Config::
If the rights profile includes all the functions the assignee needs, the administrator assigns it to the user, or creates a role and assigns the role to the user. For examples, see Creating a Role and Example 12, Creating a Trusted User to Administer DHCP.
If the assignee needs more network capabilities, the administrator continues to investigate.
The administrator lists all network rights profiles, chooses another one, and repeats the search.
$ profiles -a | grep ^Network Network Autoconf Admin Network Autoconf User Network ILB Network Dot1x Management Network LLDP Network VRRP Network DLMP Network Management Network Observability Network TCP Key Management Network Security Network Wifi Management Network Wifi Security Network Link Security Network IPsec Management Network Firewall Management
The administrator can also create a custom networking rights profile by following the instructions in Creating Rights Profiles and Authorizations.