RBAC Commands
This section lists commands that are used to administer RBAC. Also provided is
a table of commands whose access can be controlled by authorizations.
Commands That Manage RBAC
While you can edit the local RBAC databases manually, such editing is strongly
discouraged. The following commands are available for managing access to tasks with RBAC.
Table 10-7 RBAC Administration Commands
Man
Page for Command |
Description |
|---|
auths(1) |
Displays authorizations for a user. |
makedbm(1M) |
Makes a dbm file. |
nscd(1M) |
Name service cache
daemon, useful for caching the user_attr, prof_attr, and exec_attr databases. Use the svcadm
command to restart the daemon. |
pam_roles(5) |
Role account management module for PAM. Checks for the
authorization to assume role. |
pfexec(1) |
Used by profile shells to execute commands with security attributes
that are specified in the exec_attr database. |
policy.conf(4) |
Configuration file for system security policy.
Lists granted authorizations, granted privileges, and other security information. |
profiles(1) |
Displays rights profiles for a specified
user. |
roles(1) |
Displays roles that a specified user can assume. |
roleadd(1M) |
Adds a role to a local
system. |
roledel(1M) |
Deletes a role from a local system. |
rolemod(1M) |
Modifies a role's properties on a local system. |
smattrpop(1M) |
Merges
the source security attribute database into the target database. For use in situations
where local databases need to be merged into a name service. Also for
use in upgrades where conversion scripts are not supplied. |
smexec(1M) |
Manages entries in the exec_attr
database. Requires authentication. |
smmultiuser(1M) |
Manages bulk operations on user accounts. Requires authentication. |
smprofile(1M) |
Manages rights profiles in the
prof_attr and exec_attr databases. Requires authentication. |
smrole(1M) |
Manages roles and users in role accounts. Requires authentication. |
smuser(1M) |
Manages
user entries. Requires authentication. |
useradd(1M) |
Adds a user account to the system. The -P option
assigns a role to a user's account. |
userdel(1M) |
Deletes a user's login from the system. |
usermod(1M) |
Modifies
a user's account properties on the system. |
Commands That Require Authorizations
The following table provides examples of how authorizations are used to limit command
options on a Solaris system. For more discussion of authorizations, see Authorization Naming and Delegation.
Table 10-8 Commands and Associated Authorizations
Man Page
for Command |
Authorization Requirements |
|---|
at(1) |
solaris.jobs.user required for all options (when neither at.allow nor at.deny files
exist) |
atq(1) |
solaris.jobs.admin required for all options |
cdrw(1) |
solaris.device.cdrw required for all options, and is granted by default
in the policy.conf file |
crontab(1) |
solaris.jobs.user required for the option to submit a job
(when neither crontab.allow nor crontab.deny files exist) solaris.jobs.admin required for the options to
list or modify other users' crontab files |
allocate(1) |
solaris.device.allocate (or other authorization as specified in device_allocate
file) required to allocate a device solaris.device.revoke (or other authorization as specified in device_allocate
file) required to allocate a device to another user (-F option) |
deallocate(1) |
solaris.device.allocate (or other
authorization as specified in device_allocate file) required to deallocate another user's device solaris.device.revoke (or
other authorization as specified in device_allocate) required to force deallocation of the specified device
(-F option) or all devices (-I option) |
list_devices(1) |
solaris.device.revoke required to list another user's
devices (-U option) |
sendmail(1M) |
solaris.mail required to access mail subsystem functions; solaris.mail.mailq required to view mail
queue |
