ZFS delegated administration enables you to distribute refined permissions to specific users, groups, or everyone. Two types of delegated permissions are supported:
Individual permissions can be explicitly delegated such as create, destroy, mount, snapshot, and so on.
Groups of permissions called permission sets can be defined. A permission set can later be updated, and all of the consumers of the set automatically get the change. Permission sets begin with the @ symbol and are limited to 64 characters in length. After the @ symbol, the remaining characters in the set name have the same restrictions as normal ZFS file system names.
ZFS delegated administration provides features similar to the RBAC security model. ZFS delegation provides the following advantages for administering ZFS storage pools and file systems:
Permissions follow the ZFS storage pool whenever a pool is migrated.
Provides dynamic inheritance where you can control how the permissions propagate through the file systems.
Can be configured so that only the creator of a file system can destroy the file system.
You can delegate permissions to specific file systems. Newly created file systems can automatically pick up permissions.
Provides simple NFS administration. For example, a user with explicit permissions can create a snapshot over NFS in the appropriate .zfs/snapshot directory.
Consider using delegated administration for distributing ZFS tasks. For information about using RBAC to manage general Oracle Solaris administration tasks, see Chapter 1, About Using Rights to Control Users and Processes in Securing Users and Processes in Oracle Solaris 11.3.