Delegating the Management of Logical Domains by Using Rights
The Logical Domains Manager package adds the following predefined rights profiles to the local rights configuration. These rights profiles delegate administrative privileges to unprivileged users:
-
The
LDoms Management
profile permits a user to use allldm
subcommands. -
The
LDoms Review
profile permits a user to use all list-relatedldm
subcommands. -
The
LDoms Consoles
profile permits a user to connect to all domain consoles.
These rights profiles can be assigned directly to users or to a role that is then assigned to users. When one of these profiles is assigned directly to a user, you must use the pfexec
command or a profile shell, such as pfbash
or pfksh
, to successfully use the ldm
command to manage your domains. Determine whether to use roles or rights profiles based on your rights configuration. See
System Administration Guide: Security Services or
Securing Users and Processes in Oracle Solaris 11.4.
Users, authorizations, rights profiles, and roles can be configured in the following ways:
-
Locally on the system by using files
-
Centrally in a naming service, such as LDAP
Installing the Logical Domains Manager adds the necessary rights profiles to the local files. To configure profiles and roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). For an overview of the authorizations and execution attributes delivered by the Logical Domains Manager package, see Logical Domains Manager Profile Contents. All of the examples in this chapter assume that the rights configuration uses local files.