Where site security policy permits, you can choose to create a user who can assume more than one administrative role.
For secure user creation, the System Administrator role creates the user and assigns the initial password, and the Security Administrator role assigns security-relevant attributes, such as a role.
Before You Begin
You must be in the root role in the global zone. Or, if separation of duty is enforced, users who can assume the distinct roles of Security Administrator and System Administrator must be present to assume their roles and perform the appropriate steps in this procedure.
Either the root role or the System Administrator role performs this step.
Do not place proprietary information in the comment.
# useradd -c "Second User" -u 1201 -d /home/jdoe jdoe
Either the root role or the Security Administrator role performs this step.
# usermod -K lock_after_retries=no -K idletime=5 -K idlecmd=lock \ -K audit_flags=lo,ex:no jdoe
# passwd jdoe New Password: xxxxxxxx Re-enter new Password: xxxxxxxx
The root role or the Security Administrator role performs this step.
# usermod -R oper jdoe
After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, users can print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations.
On a multilevel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files.
In this example, the root role creates a local user who can assume the Security Administrator role. For details, see the useradd(8) and atohexlabel(8) man pages.
This user is going to have a label range that is wider than the default label range. So, the root role determines the hexadecimal format of the user's minimum label and clearance label.
# atohexlabel public 0x0002-08-08 # atohexlabel -c "confidential restricted" 0x0004-08-78
Next, the root role consults Figure 2, Table 2, Trusted Extensions Security Defaults for User Accounts, and then creates the user. The administrator places the user's home directory in /export/home1 rather than the default, /export/home.
# useradd -c "Local user for Security Admin" -d /export/home1/jandoe -K audit_flags=lo,ex:no \ -K idletime=8 -K idlecmd=lock -K lock_after_retries=no \ -K min_label=0x0002-08-08 -K clearance=0x0004-08-78 jandoe
Then, the root role assigns an initial password.
# passwd -r files jandoe New Password: xxxxxxxx Re-enter new Password: xxxxxxxx passwd: password successfully changed for jandoe #
Finally, the root role adds the Security Administrator role to the user's definition. The role was created in How to Create the Security Administrator Role in Trusted Extensions.
# usermod -R secadmin jandoe