Using the Solaris Management Tools With RBAC (Task Map)
This task map describes the tasks to do if you want to use
the RBAC security features rather than the superuser account to perform administration tasks.
Note - The information in this chapter describes how to use the console with RBAC.
RBAC overview and task information is included to show you how to initially
set up RBAC with the console.
For detailed information on RBAC and how to use it with other applications,
see Role-Based Access Control (Overview) in System Administration Guide: Security Services.
The following sections provide overview information and step-by-step instructions for using the Solaris
Management Console and the RBAC security features.
If You Are the First to Log in to the Console
If you are the first administrator to log in to the console,
start the console as a user (yourself). Then, log in as superuser. This
method gives you complete access to all the console tools.
Here are the general steps, depending on whether you are using RBAC:
Without RBAC – If you choose not to use RBAC, continue working as superuser. All other administrators will also need root access to perform their jobs.
With RBAC – You will need to do the following:
Creating the Primary Administrator Role
An administrator role is a special user account. Users who assume a role are
permitted to perform a predefined set of administrative tasks.
The Primary Administrator role is permitted to perform all administrative functions, similar to
superuser.
If you are superuser, or a user assuming the Primary Administrator role, you
can define which tasks other administrators are permitted to perform. With the help
of the Add Administrative Role wizard, you can create a role, grant rights
to the role, and then specify which users are permitted to assume that
role. A right is a named collection of commands, or authorizations, for using
specific applications. A right enables you to perform specific functions within an application.
The use of rights can be granted or denied by an administrator.
You are prompted for the following information when you create the Primary Administrator
role.
Table 2-2 Field Descriptions for Adding a Role by Using the Solaris Management Console
Field name |
Description |
Role name |
Selects the name an administrator uses to log in to
a specific role. |
Full name |
Provides a full, descriptive name of this role. (Optional) |
Description |
Provides
further description of this role. |
Role ID number |
Selects the identification number assigned to
this role. This number is the same as the set of identifiers for
UIDs. |
Role shell |
Selects the shell that runs when a user logs in to
a terminal or console window and assumes a role in that window. |
Create a
role mailing list |
Creates a mailing list with the same name as the
role, if checked. You can use this list to send email to everyone
assigned to the role. |
Role password and confirm Password |
Sets and confirms the role
password. |
Available rights and granted Rights |
Assigns rights to this role by choosing from
the list of Available Rights and adding them to the list of Granted
Rights. |
Select a home directory |
Selects the home directory server where this role's private
files will be stored. |
Assign users to this role |
Adds specific users to the role
so that they can assume the role to perform specific tasks. |
For detailed information about role-based access control, and instructions on how to use
roles to create a more secure environment, see Role-Based Access Control (Overview) in System Administration Guide: Security Services.
How to Create the First Role (Primary Administrator)
This procedure describes how to create the Primary Administrator role and then assign
it to your user account. This procedure assumes that your user account is
already created.
- Start the console as yourself.
% /usr/sadm/bin/smc &
For additional information on starting the console, see How to Start the Console as Superuser or as a Role.
The console online help provides more information about creating a user account for
yourself.
- Click on the This Computer icon in the Navigation pane.
- Click on System Configuration->Users -> Administrative Roles.
- Click Action->Add Administrative Role.
The Add Administrative Role wizard opens.
- Create the Primary Administrator role with the Administrative Role wizard by following these
steps.
- Identify the role name, full role name, description, role ID number, role shell,
and whether you want to create a role mailing list. Click Next.
- Set and confirm the role password. Click Next.
- Select the Primary Administrator right from the Available Rights column and add it
to Granted Rights column. Click Next.
- Select the home directory for the role. Click Next.
- Assign yourself to the list of users who can assume the role. Click
Next.
If necessary, see Table 2-2 for a description of the role fields.
- Click Finish.
How to Assume the Primary Administrator Role
After you have created the Primary Administrator role, log in to the console
as yourself, and then assume the Primary Administrator role.
When you assume a role, you take on all the attributes of
that role, including the rights. At the same time, you relinquish all of
your own user properties.
- Start the console.
% /usr/sadm/bin/smc &
For information on starting the console, see How to Start the Console as Superuser or as a Role.
- Log in with your user name and password.
A list shows which roles you are permitted to assume.
- Log in to the Primary Administrator role and provide the role password.