Using Rights Profiles and Roles

Language:

Caution - Be careful when using the usermod and rolemod commands to add authorizations, rights profiles, or roles.

For the Oracle Solaris 10 OS, the usermod or rolemod command replaces any existing values. To add values instead of replacing them, specify a comma-separated list of existing values and the new values.
For the Oracle Solaris 11 OS, add values by using the plus sign (+) for each authorization you add. For example, the usermod -A +auth username command grants the auth authorization to the username user; similarly for the rolemod command.

Managing User Rights Profiles

The following procedures show how to manage user rights profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) .

How to Assign a Rights Profile to a User

Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services or Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris 11.1 Administration: Security Services .

Become an administrator.
- For Oracle Solaris 10, see Configuring RBAC (Task Map) in System Administration Guide: Security Services .
- For Oracle Solaris 11.2, see Chapter 1, About Using Rights to Control Users and Processes, in Securing Users and Processes in Oracle Solaris 11.2 .
Assign an administrative profile to a local user account.
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
```
# usermod -P "profile-name" username
```
The following command assigns the LDoms Management profile to user sam:
```
# usermod -P "LDoms Management" sam
```

Assigning Roles to Users

The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) .

The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role from assuming that role even though he has the password.

How to Create a Role and Assign the Role to a User

Become an administrator.
- For Oracle Solaris 10, see Configuring RBAC (Task Map) in System Administration Guide: Security Services .
- For Oracle Solaris 11.2, see Chapter 1, About Using Rights to Control Users and Processes, in Securing Users and Processes in Oracle Solaris 11.2 .
Create a role.
```
# roleadd -P "profile-name" role-name
```
Assign a password to the role.
You will be prompted to specify and then verify a new password.
```
# passwd role-name
```
Assign the role to a user.
```
# useradd -R role-name username
```
Assign a password to the user.
You will be prompted to specify and then verify a new password.
```
# passwd username
```
Become the user and provide the password, if necessary.
```
# su username
```

Verify that the user has access to the assigned role.

$ id
uid=nn(username) gid=nn(group-name)
$ roles
role-name

Assume the role and provide the password, if necessary.
```
$ su role-name
```

Verify that the user has assumed the role.

$ id
uid=nn(role-name) gid=nn(group-name)

Example 2-1 Creating a Role and Assigning the Role to a User

This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.

# roleadd -P "LDoms Review" ldm_read
# passwd ldm_read
New Password:
Re-enter new Password:
passwd: password successfully changed for ldm_read
# useradd -R ldm_read user_1
# passwd user_1
New Password:
Re-enter new Password:
passwd: password successfully changed for user_1
# su user_1
Password:
$ id
uid=95555(user_1) gid=10(staff)
$ roles
ldm_read
$ su ldm_read
Password:
$ id
uid=99667(ldm_read) gid=14(sysadmin)