Caution - Be careful when using the usermod and rolemod commands to add authorizations, rights profiles, or roles.
|
The following procedures show how to manage user rights profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) .
Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services or Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris 11.1 Administration: Security Services .
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
# usermod -P "profile-name" username
The following command assigns the LDoms Management profile to user sam:
# usermod -P "LDoms Management" sam
The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) .
The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role from assuming that role even though he has the password.
# roleadd -P "profile-name" role-name
You will be prompted to specify and then verify a new password.
# passwd role-name
# useradd -R role-name username
You will be prompted to specify and then verify a new password.
# passwd username
# su username
$ id uid=nn(username) gid=nn(group-name) $ roles role-name
$ su role-name
$ id uid=nn(role-name) gid=nn(group-name)
This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.
# roleadd -P "LDoms Review" ldm_read # passwd ldm_read New Password: Re-enter new Password: passwd: password successfully changed for ldm_read # useradd -R ldm_read user_1 # passwd user_1 New Password: Re-enter new Password: passwd: password successfully changed for user_1 # su user_1 Password: $ id uid=95555(user_1) gid=10(staff) $ roles ldm_read $ su ldm_read Password: $ id uid=99667(ldm_read) gid=14(sysadmin)