Caution - Be careful when using the usermod and rolemod commands to add authorizations, rights profiles, or roles.
|
The following procedures show how to manage user rights profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) .
Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services or Securing Users and Processes in Oracle Solaris 11.3 .
For Oracle Solaris 11.3, see Chapter 1, About Using Rights to Control Users and Processes, in Securing Users and Processes in Oracle Solaris 11.3 .
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
# usermod -P "profile-name" username
The following command assigns the LDoms Management profile to user sam:
# usermod -P "LDoms Management" sam
The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) .
The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role from assuming that role even though he has the password.
For Oracle Solaris 11.3, see Chapter 1, About Using Rights to Control Users and Processes, in Securing Users and Processes in Oracle Solaris 11.3 .
# roleadd -P "profile-name" role-name
You will be prompted to specify and then verify a new password.
# passwd role-name
# useradd -R role-name username
You will be prompted to specify and then verify a new password.
# passwd username
# su username
$ id uid=nn(username) gid=nn(group-name) $ roles role-name
$ su role-name
$ id uid=nn(role-name) gid=nn(group-name)
This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.
# roleadd -P "LDoms Review" ldm_read # passwd ldm_read New Password: Re-enter new Password: passwd: password successfully changed for ldm_read # useradd -R ldm_read user_1 # passwd user_1 New Password: Re-enter new Password: passwd: password successfully changed for user_1 # su user_1 Password: $ id uid=95555(user_1) gid=10(staff) $ roles ldm_read $ su ldm_read Password: $ id uid=99667(ldm_read) gid=14(sysadmin)