auths - manage and list authorizations
auths list [-S repository] [-vx] [-u user]
auths info [-S repository] [-v] [authorization]
auths check [-u user] authorization
auths add [-S repository] -t description [-h help_file_path] authorization
auths modify [-S repository] [-t description] [-h help_file_path] authorization
auths remove [-S repository] authorization
The auths command prints on standard output the authorizations that you or the optionally-specified user or role have been granted. Authorizations are rights that are checked by certain privileged programs to determine whether a user may execute restricted functionality.
The command also creates and modifies an authorization and its properties in the auth_attr(5) database in the local files name service or LDAP name service. The auths command also prints on standard output the authorizations that you or the optionally specified user or role have been granted.
An administrator must be granted the Rights Management Profile to be able to manage the authorizations in the auth_attr(5) database with the add, modify, or remove subcommands.
Each user may have zero or more authorizations. Authorizations are represented by fully-qualified names, which identify the organization that created the authorization and the functionality that it controls. Following the Java convention, the hierarchical components of an authorization are separated by dots (. ), starting with the reverse order Internet domain name of the creating organization, and ending with the specific function within a class of authorizations. Authorizations cannot end with a dot (..)
An asterisk (*) indicates all authorizations in a class.
A user's authorizations are looked up in user_attr(5) and in the /etc/security/policy.conf file (see policy.conf(5)). Authorizations may be specified directly in user_attr(5) or indirectly through prof_attr(5). Authorizations may also be assigned to every user in the system directly as default authorizations or indirectly as default profiles in the /etc/security/policy.conf file.
For each user, there are two sets of profiles, an authenticated set, and an unauthenticated set. Authorizations in the authenticated set or always effective, but those in the unauthenticated set only become effective after a successful response to an authentication challenge. Such challenges are automatically issued when the user executes a command matching an entry in the authenticated profiles set. See pfexec(1).
Create the specified authorization (authorization) in the specified name-service repository (repository).
If no repository option is specified, the authorization is created in the file's name-service.
Check if the specified authorization (authorization) has been granted to the specified username (user) or the current user.
If the user has the proper authorization, auths exits with exit code 0. Otherwise, it returns with exit code greater than 1.
Check if the specified authorization (authorization) is present in the specified name-service repository (repository) or looks up based on nsswitch.conf(5). If the specified authorization is present, it is listed and the auths exits with return code 0.
If no authorization is specified, auths prints all the authorizations present in the specified name-service repository or based on nsswitch.conf(5).
Lists all the authorizations that are assigned to the specified user (user) or current user, if no username is specified, based on the name-service repository (repository).
If no repository is specified the information is looked up based on nsswitch.conf(5).
Modify an existing authorization in the specified name-service repository. If no repository is specified the authorization ill be modified in the first name-service that it is found in based on nsswitch.conf(5).
Remove an existing authorization (authorization) in the specified name-service repository (repository).
If no repository is specified, the authorization is removed from the first name-service that it is found in based on nsswitch.conf(5).
The auths subcommands support the following options:
Set the location of the help file which contains information about the authorization.
Specify the name-service repository (repository) to be modified or searched. The supported repository options are files and ldap.
If this option is omitted, look up is based on nsswitch.conf(5).
Specify the textual description of the authorization.
Specify the user name (user) for which to list or check authorization.
If this option is omitted, the current user is used.
Print the description for the authorization.
Only print the authorizations.
The output from the auths output looks as follows:
example% auths tester01 tester02 tester01 : solaris.system.date,solaris.jobs.admin tester02 : solaris.system.* example%
There is no space after the comma separating the authorization names in tester01.
The following command lists the authorizations that are assigned to user tester01.
example% auths list -u tester01 tester01: solaris.jobs.admin solaris.system.dateExample 2 Listing Authorizations
The following command lists the authorizations assigned to user tester01 with descriptions.
example% auths list -v -u tester01 tester01: solaris.jobs.admin Manage All Jobs solaris.system.date Set Date & TimeExample 3 Listing Authorizations
The following command lists the authorizations with descriptions in the name-service.
example% auths info -v solaris.user.manage solaris.user.manage: Manage user accounts example%Example 4 Adding an Authorization
The following adds the authorization solaris.foo.manage with description manage foo and help file AuthFoo.html to the file's name-service repository.
example% auths add -t "manage foo"\ -h /home/abc/AuthFoo.html solaris.foo.manageExample 5 Modifying an Authorization
The following example modifies the authorization solaris.foo.manage , sets the description to manage foo and bar, and sets the help file to AuthFooBar.html in LDAP.
example% auths -S ldap modify -t " manage foo and bars"\ -h /home/abc/AuthFooBar.html solaris.foo.manage
The following exit values are returned:
An error occurred.
User not authorized.
See attributes(7) for descriptions of the following attributes: