Solaris

samar and jlliagre, thanks for your valuable time...

I understand the need for entries in /etc/security/prof_attr and /etc/security/exec_attr..but let me ask you .. suppose if i do that this way:
vi /etc/security/prof_attr
shut:::Shut down the system:

vi /etc/security/exec_attr
shut:suser:cmd:::/usr/sbin/shutdown:uid=0

(note that the profile is not being given auths=solaris.system.shutdown attribute)

roleadd -m -d /export/home/adminusr -P shut adminusr

usermod -R adminusr neil

It works perfect even without any authorization...then where will the need for the -A switch arise..?This is the question I am trying to get an answer for the whole 5 hours of yesterday.., that is the reason why I wanted to create a role and user with just entries in /etc/user_attr instead of /etc/security/prof_attr and /etc/security/exec_attr.
kindly help me out...!

actually here u have authorization )) in solaris RBAC there are predefined authorizations. you cant modify it as u did with prof_attr and exec_attr .
in your situation "shutdown" authorization works:
solaris.system.shutdown:::Shutdown the System::help=SysShutdown.html

look at your /etc/security/auth_attr .. your role adminusr takes authorization from that file. (this file auth_attr not only for roles, it gives users also definite rights).

hope this map will let you gain some insight.

thanks samar,
but sorry to ask you again, if authorisation is predefined, why the need for -A switch in roleadd and why Bill Calkins had mentioned it explicitly? pls dont get irritated with my question..thanks.

My understanding is these authorizations were really meant for the Secure Extensions and are now obsolete. They simply seem to be of no use in Solaris 10/Open Solaris. I have found no reference of them, outside their declaration in Open Solaris source code.

jlliagre, thanks a lot for your reply. I will take your word and I am not going to dig more about authorization... Thanks a lot.