1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Managing Computer System Security
  3. Controlling Access to System Resources
  4. Configuring Role-Based Access Control to Replace Superuser

Configuring Role-Based Access Control to Replace Superuser

Role-based access control (RBAC), a feature of Oracle Solaris, distributes the capabilities of superuser to administrative roles. Roles get these capabilities through bundles called rights profiles. Regular users can also be assigned rights profiles.

Superuser, the root user, has access to every resource in the system. With RBAC, you can replace many of root's responsibilities with a set of roles with discrete powers. For example, you can set up one role to handle user account creation and another role to handle system file modification. Although you might not modify the root account, you can leave the account as a role, then not assign the role. This strategy effectively removes root access to the system.

Each role requires that a known user log in with her or his user name and password. After logging in, the user then assumes the role with a specific role password. If you assign rights profiles directly to a user, the user must open a profile shell to gain administrative powers. For more information about RBAC, see User Rights Management in Securing Users and Processes in Oracle Solaris 11.4.