10-13-2008
Dears.
To assign the rights to specific User In Solaris
Role-based access control (RBAC) is an alternative to the all-or-nothing superuser model. RBAC uses the security principle of least privilege. No user should be given more privilege than necessary for performing the user's job. RBAC makes it possible for an organization to separate superusers' capabilities and assign these capabilities to specific users or to special user accounts that are called roles. Roles can be assigned to specific individuals, according to their job needs
you have already user in your system named dell
you want to assign some administration tasks to del to do
1) you must make profile in this example the profile named is useradmin
# vi /etc/security/prof_attr
then you will write at the end of the file
useradmin::::
==========================================================
then at this file /etc/security/exec_attr you will assign the command what you want this user (dell) to do
/etc/security/exec_attr
useracc:suser:cmd:::/usr/sbin/useradd:uid=0
useracc:suser:cmd:::/usr/sbin/userdel:uid=0
useracc:suser:cmd:::/usr/sbin/usermod:uid=0
useracc:suser:cmd:::/usr/sbin/groupadd:uid=0
useracc:suser:cmd:::/usr/sbin/groupdel:uid=0
useracc:suser:cmd:::/usr/sbin/groupmod:uid=0
==========================================================
when you add role it's like useradd you will found the role name at /etc/passwd
Create role:-
**************
# roleadd -c "User Administration" -g "Primary Group" -md /export/home/username -s /user/bin/pfksh -P "useracc" username
-c if you want to add comment
-g if you want to add this role to primary group
-md to create the home directory for the role (it's like useradd home directory for the user)
-s to assign shell for user (this is like ksh we use but it is special for this command becouse it is check the rights you given to the user)
-P capital P to assign the profile
# passwd username
# usermod -R username dell
-R to assign role to existing user
Last edited by dellroxy; 03-02-2009 at 10:36 AM..
10 More Discussions You Might Find Interesting
1. UNIX Desktop Questions & Answers
I just created a group. How do i make the groups read only to a specific file systems.(home directory). (3 Replies)
Discussion started by: niasdad
3 Replies
2. UNIX for Dummies Questions & Answers
Folks;
I want to give a group a read access to a directory tree, but i want the group to be defined by the email account. here's the details:
I have a punch users who use e-mail addresses of "*@blue.com".
I want give this group of "*@blue.com" a read access to a directory tree so every one who... (8 Replies)
Discussion started by: moe2266
8 Replies
3. Solaris
I m having interface ce0 ce1 and its sub interfaces for that.
I want to give MAC addresses for the same.
How will I assign it.
Please give solution for the same (4 Replies)
Discussion started by: sunray
4 Replies
4. Solaris
Hi,
I have cloned a SOLARIS 8 (BLADE 150) Hard Disk and have put into other system. So, now how do I configure the NIC and assign static IP for this new machine ? (8 Replies)
Discussion started by: angshuman_ag
8 Replies
5. Solaris
Hi,
It's actually strange, but Is there any way through which I can assign super user rights to normal user.
Actually su/sudo/rbac does solve these but switching id is the problem for an application.
For eg: $dladm show-dev
insufficient priviliges.
Is there any way to get it done ?
... (8 Replies)
Discussion started by: tuxian
8 Replies
6. UNIX for Advanced & Expert Users
Hi All,
I am working on a Solaris 10 machine and now working with a user creation script. I want to create users using the script and assign a default password.
I found the use of 'expect' in one post, but 'expect' is not available in our server.
Also, the below code is not working for... (2 Replies)
Discussion started by: jaiseaugustine
2 Replies
7. Solaris
Hi,
As per my knowledge, the maximum number of groups that can be allocated to a folder (in Solaris 10) is 16. But I wonder how this rule is applicable to folders which are mounted on NFS which can be accessed by 100s of groups? or is there is a restriction present? I have never handled such a... (5 Replies)
Discussion started by: poga
5 Replies
8. Shell Programming and Scripting
Hello all,
In solaris 10 can we create domains and workgroups like Active directory in windows? If that is possible, can some one please advise the procedure.. (1 Reply)
Discussion started by: bhargav90
1 Replies
9. Shell Programming and Scripting
Hi all. I need a shell script that can, in short, read through a text file line by line and create a new user in Ubuntu, as well as assign that user to a group. The format of the text file is not important but preferably: 'username:group'. I don't have much programming knowledge no matter shell... (3 Replies)
Discussion started by: LewisWeekly
3 Replies
10. Solaris
I have a Solaris 10 system inherited from several previous admins. While trying to decipher a permissions issue, I ran "grpck" and it reported a ton of errors. Among them were these:
1. group name too long
2. group name contains illegal characters (special chars or caps)
3. group membership... (2 Replies)
Discussion started by: cjhilinski
2 Replies
LEARN ABOUT POSIX
smf_security
smf_security(5) Standards, Environments, and Macros smf_security(5)
NAME
smf_security - service management facility security behavior
DESCRIPTION
The configuration subsystem for the service management facility, smf(5), requires privilege to modify the configuration of a service. Priv-
ileges are granted to a user by associating the authorizations described below to the user through user_attr(4) and prof_attr(4). See
rbac(5).
The following authorization is used to manipulate services and service instances.
solaris.smf.modify Authorized to add, delete, or modify services, service instances, or their properties.
Property Group Authorizations
The smf(5) configuration subsystem associates properties with each service and service instance. Related properties are grouped. Groups may
represent an execution method, credential information, application data, or restarter state. The ability to create or modify property
groups can cause smf(5) components to perform actions that may require operating system privilege. Accordingly, the framework requires
appropriate authorization to manipulate property groups.
Each property group has a type corresponding to its purpose. The core property group types are method, dependency, application, and frame-
work. Additional property group types can be introduced, provided they conform to the extended naming convention in smf(5). The following
basic authorizations, however, apply only to the core property group types:
solaris.smf.modify.method
Authorized to change values or create, delete, or modify a property group of type method.
solaris.smf.modify.dependency
Authorized to change values or create, delete, or modify a property group of type dependency.
solaris.smf.modify.application
Authorized to change values or create, delete, or modify a property group of type application.
solaris.smf.modify.framework
Authorized to change values or create, delete, or modify a property group of type framework.
solaris.smf.modify
Authorized to add, delete, or modify services, service instances, or their properties.
Property group-specific authorization can be specified by properties contained in the property group.
modify_authorization Authorizations allow the addition, deletion, or modification of properties within the property group.
value_authorization Authorizations allow changing the values of any property of the property group except modify_authorization.
The above authorization properties are only used if they have type astring. If an instance property group does not have one of the proper-
ties, but the instance's service has a property group of the same name with the property, its values are used.
Service Action Authorization
Certain actions on service instances may result in service interruption or deactivation. These actions require an authorization to ensure
that any denial of service is a deliberate administrative action. Such actions include a request for execution of the refresh or restart
methods, or placement of a service instance in the maintenance or other non-operational state. The following authorization allows such
actions to be requested:
solaris.smf.manage Authorized to request restart, refresh, or other state modification of any service instance.
In addition, the general/action_authorization property can specify additional authorizations that permit service actions to be requested
for that service instance. The solaris.smf.manage authorization is required to modify this property.
Defined Rights Profiles
Two rights profiles are included that offer grouped authorizations for manipulating typical smf(5) operations.
Service Management
A service manager can manipulate any service in the repository in any way. It corresponds to the solaris.smf.manage and
solaris.smf.modify authorizations.
The service management profile is the minimum required to use the pkgadd(1M) or pkgrm(1M) commands to add or remove software packages
that contain an inventory of services in its service manifest.
Service Operator
A service operator has the ability to enable or disable any service instance on the system, as well as request that its restart or
refresh method be executed. It corresponds to the solaris.smf.manage and solaris.smf.modify.framework authorizations.
Sites can define additional rights profiles customized to their needs.
Remote Repository Modification
Remote repository servers may deny modification attempts due to additional privilege checks. See NOTES.
SEE ALSO
auths(1), profiles(1), pkgadd(1M), pkgrm(1M), prof_attr(4), user_attr(4), rbac(5), smf(5)
NOTES
The present version of smf(5) does not support remote repositories.
SunOS 5.10 2 Dec 04 smf_security(5)