The root user has all administrative rights. The root user can assign administrative rights to users, such as a rights profile, a role, or specific privileges and authorizations.
For information about using assigned rights in Oracle Solaris, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
For information about zones authorizations, see admin Resource for Zones.
For information about using privileges in a non-global zone, see Privileges in a Non-Global Zone in Creating and Using Oracle Solaris Zones.
The zones rights profiles are:
For administrators who will create and configure zones.
The Zone Security rights profile includes the zonecfg or txzonemgr commands and every solaris.zone.* authorization. The assignee can delegate zone administration. For information about txzonemgr, see Creating Labeled Zones in Trusted Extensions Configuration and Administration.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to create, log in, and configure zones. The zone administrator must be named in the user property of the admin resource and be assigned the solaris.zone.* authorizations.
For administrators who will create and modify zones.
The Zone Configuration rights profile enables a zone administrator to configure a zone. For a migrated zone, the administrator must be granted this rights profile on the target system to complete the migration if a configuration for the zone does not already exist on the target system. The Zone Configuration rights profile includes the zonecfg command only.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to configure zones. The zone administrator must be named in the user property of the admin resource and be assigned the solaris.zone.config authorization. If login is restricted, the zone administrator must also be assigned the solaris.zone.login authorization.
For administrators who will manage existing zones.
The Zone Management rights profile includes the zlogin and zoneadm commands.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to manage zones. The zone administrator must be named in the user property of the admin resource and be assigned the solaris.zone.* authorizations to log in and manage the zone.
For administrators who will migrate any type of zone.
The Zone Migration rights profile enables a zone administrator to perform migration of an installed or running zone. A zone administrator who is assigned this profile can perform live or warm migrations. The Zone Migration rights profile includes the zoneadm and zonecfg commands.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to migrate zones. The zone administrator must be named as a user in the admin resource and be assigned the solaris.zone.migrate authorization. If login is restricted, the zone administrator must also be assigned the solaris.zone.login authorization.
To use the profiles, see admin Resource for Zones. Also see the profiles(1) and prof_attr(4) man pages for information about zones profiles.
For information about Oracle Solaris features that protect applications running on your system, see Protecting and Isolating Applications in Oracle Solaris 11.3 Security and Hardening Guidelines.