Configuring Role-Based Access Control to Replace Superuser
Role-based access control (RBAC), a feature of Oracle Solaris, distributes the capabilities of superuser to administrative roles. Roles get these capabilities through bundles called rights profiles. Regular users can also be assigned rights profiles.
Superuser, the root
user, has access to every resource in the system.
With RBAC, you can replace many of root
's responsibilities with a set of
roles with discrete powers. For example, you can set up one role to handle user account
creation and another role to handle system file modification. Although you might not modify
the root
account, you can leave the account as a role, then not assign
the role. This strategy effectively removes root
access to the
system.
Each role requires that a known user log in with her or his user name and password. After logging in, the user then assumes the role with a specific role password. If you assign rights profiles directly to a user, the user must open a profile shell to gain administrative powers. For more information about RBAC, see User Rights Management in Securing Users and Processes in Oracle Solaris 11.4.