Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: November 2020

How to Modify a User's Label Range

You might want to extend a user's label range to give the user read access to an administrative application. For example, a user who can log in to the global zone could then view a list of the systems that run at a particular label. The user could view, but not change the contents.

Alternatively, you might want to restrict the user's label range. For example, a guest user might be limited to one label.

Before You Begin

You must be in the Security Administrator role in the global zone.

  • Do one of the following:
    • To extend the user's label range, assign a higher clearance.
      # usermod -K min_label=INTERNAL -K clearance=ADMIN_HIGH username

      You can also extend the user's label range by lowering the minimum label.

      # usermod -K min_label=PUBLIC -K clearance=INTERNAL username

      For more information, see the usermod(8) and user_attr(5) man pages.

    • To restrict the label range to one label, make the clearance equal to the minimum label.
      # usermod -K min_label=INTERNAL -K clearance=INTERNAL username