Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

auths(1)

Name

auths - manage and list authorizations

Synopsis

auths [user]...
auths list [-S 
repository] [-vx] [-u 
user]
auths info [-S 
repository] [-v] [authorization]
auths check [-u 
user] authorization
auths add [-S 
repository] -t description 
     [-h help_file_path] 
authorization
auths modify [-S 
repository] [-t description]
     [-h help_file_path] 
authorization
auths remove [-S 
repository] authorization

Description

The auths command prints on standard output the authorizations that you or the optionally-specified user or role have been granted. Authorizations are rights that are checked by certain privileged programs to determine whether a user may execute restricted functionality.

The command also creates and modifies an authorization and its properties in the auth_attr(5) database in the local files name service or LDAP name service. The auths command also prints on standard output the authorizations that you or the optionally specified user or role have been granted.

An administrator must be granted the Rights Management Profile to be able to manage the authorizations in the auth_attr(5) database with the add, modify, or remove subcommands.

Each user may have zero or more authorizations. Authorizations are represented by fully-qualified names, which identify the organization that created the authorization and the functionality that it controls. Following the Java convention, the hierarchical components of an authorization are separated by dots (. ), starting with the reverse order Internet domain name of the creating organization, and ending with the specific function within a class of authorizations. Authorizations cannot end with a dot (..)

An asterisk (*) indicates all authorizations in a class.

A user's authorizations are looked up in user_attr(5) and in the /etc/security/policy.conf file (see policy.conf(5)). Authorizations may be specified directly in user_attr(5) or indirectly through prof_attr(5). Authorizations may also be assigned to every user in the system directly as default authorizations or indirectly as default profiles in the /etc/security/policy.conf file.

For each user, there are two sets of profiles, an authenticated set, and an unauthenticated set. Authorizations in the authenticated set or always effective, but those in the unauthenticated set only become effective after a successful response to an authentication challenge. Such challenges are automatically issued when the user executes a command matching an entry in the authenticated profiles set. See pfexec(1).

Subcommands

add [-S repository] -t description [-h help_file_path] authorization

Create the specified authorization (authorization) in the specified name-service repository (repository).

If no repository option is specified, the authorization is created in the file's name-service.

check [-u user] authorization

Check if the specified authorization (authorization) has been granted to the specified username (user) or the current user.

If the user has the proper authorization, auths exits with exit code 0. Otherwise, it returns with exit code greater than 1.

info [-S repository] [-v] [authorization]

Check if the specified authorization (authorization) is present in the specified name-service repository (repository) or looks up based on nsswitch.conf(5). If the specified authorization is present, it is listed and the auths exits with return code 0.

If no authorization is specified, auths prints all the authorizations present in the specified name-service repository or based on nsswitch.conf(5).

list [-S repository] [-vx] [-u user]

Lists all the authorizations that are assigned to the specified user (user) or current user, if no username is specified, based on the name-service repository (repository).

If no repository is specified the information is looked up based on nsswitch.conf(5).

modify [-S repository] [ -t description ] [ -h help_file_path]

Modify an existing authorization in the specified name-service repository. If no repository is specified the authorization ill be modified in the first name-service that it is found in based on nsswitch.conf(5).

remove [-S repository] authorization

Remove an existing authorization (authorization) in the specified name-service repository (repository).

If no repository is specified, the authorization is removed from the first name-service that it is found in based on nsswitch.conf(5).

Options

The auths subcommands support the following options:

–h help_file_path

Set the location of the help file which contains information about the authorization.

–S repository

Specify the name-service repository (repository) to be modified or searched. The supported repository options are files and ldap.


Note -  When updating the ldap repository, both the LDAP server and client must be configured with EnableShadowUpdate=true.

If this option is omitted, look up is based on nsswitch.conf(5).

–t description

Specify the textual description of the authorization.

–u user

Specify the user name (user) for which to list or check authorization.

If this option is omitted, the current user is used.

–v

Print the description for the authorization.

–x

Only print the authorizations.

Examples

Example 1 Using the auths Command

The output from the auths output looks as follows:


example% auths tester01 tester02
tester01 : solaris.system.date,solaris.jobs.admin
tester02 : solaris.system.*
example%

There is no space after the comma separating the authorization names in tester01.

The following command lists the authorizations that are assigned to user tester01.


example% auths list -u tester01

tester01:
solaris.jobs.admin
solaris.system.date

Example 2 Listing Authorizations

The following command lists the authorizations assigned to user tester01 with descriptions.

example% auths list -v -u tester01
tester01:
solaris.jobs.admin
Manage All Jobs
solaris.system.date
Set Date & Time


Example 3 Listing Authorizations

The following command lists the authorizations with descriptions in the name-service.


example% auths info -v solaris.user.manage
solaris.user.manage:
Manage user accounts
example%

Example 4 Adding an Authorization

The following adds the authorization solaris.foo.manage with description manage foo and help file AuthFoo.html to the file's name-service repository.


example% auths add -t "manage foo"\
              -h /home/abc/AuthFoo.html solaris.foo.manage

Example 5 Modifying an Authorization

The following example modifies the authorization solaris.foo.manage , sets the description to manage foo and bar, and sets the help file to AuthFooBar.html in LDAP.


example% auths -S ldap modify -t " manage foo and bars"\
              -h /home/abc/AuthFooBar.html solaris.foo.manage

Exit Status

The following exit values are returned:

0

Successful completion.

1

An error occurred.

2

User not authorized.

Files

/etc/user_attr

/etc/security/auth_attr

/etc/security/policy.conf

/etc/security/prof_attr

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os

See Also

profiles(1), roles(1), getauthattr(3C), auth_attr(5), policy.conf(5), prof_attr(5), user_attr(5), attributes(7)

Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP