No one is allowed to log onto a system by using a role account. A role is created in a similar fashion to a normal user account. It has all the attributes that a normal user account has. If you decide that you want to temporarily suspend a role simply change the password on the role account and don't give anyone the new password. When you're ready to resume the role either reset the password to what it was or assign a new one and let the users know what it is. This does not apply if you attach the role directly to a user account.
The following are some of the commands that are used to create and manage roles:
auths
getdevpolicy
pam_roles
pfexec
profiles
roleadd - use this if you're using files
rolemod - use this if you're using files
roledel - use this if you're using files
roles
smc
smexec
smmultiuser
smprofile
smrole - use this if you're using a naming service
smuser - use this if you're using a naming service
useradd - use this if you're using files
userdel - use this if you're using files
usermod - use this if you're using files
vi
To create a role use the following roleadd command:
roleadd -c comment -d home dir -e expire -f inactive -g group -G group -m -u uid -s shell -A authorization -P profile role
Those familiar with useradd will have no problem with this command. The -m switch creates the home directory if it doesn't already exist. Make sure that you remember to use pfsh, pfksh, or pfcsh for the shell. Before assigning an authorization or profile they must exist in auth_attr or prof_attr respectively. The role account has the same restrictions as a user account in terms of length and other attributes.
To modify a role you use the rolemod command. This command is analogous to the usermod command and follows the same format:
rolemod -u uid -g group -G group -d dir -m -s shell -c comment -l new_name -f inactive -e expire -A authorization -P profile role
Finally, to remove a role use the roledel command as follows:
roledel -r role
As with userdel, the -r switch removes the home directory.
If you want to see a list of profiles that you currently belong to use the 'profiles' command:
profiles -l user
Using the -l switch allows you to see which commands are associated with the profile as well as the special attributes such as uid or gid of the command. If you want to see the profiles assigned to a particular user then specify the user's name as part of the command.
The useradd and usermod commands have been updated with additional switches. This includes the -A and -P options which assign authorizations and profiles to the user. They have also added the -R option to assign roles to a user.
Sometimes when you add or modify a role/profile the role/profile won't take effect right away. The reason that it may not take effect immediately could be the name server cache daemon. If you make changes and they aren't showing up you may need to stop and then restart this daemon. To do this issue the following command:
svcadm restart system/name-service-cache
RBAC uses the /etc/nsswitch.conf file. Be sure to check the entries in this file to ensure that you're reading the right set of files.
And finally:
If you look at /etc/security/prof_attr you will see a listing for 'Device Management.' On that same line you will notice that the 'auths' are for solaris.device.* and solaris.admin.serialmgr.*;.
If you look at /etc/security/auth_attr you will find these listings.
So any application that contains the Device Management profile will grant you access to the authorizations listed in the auth_attr file.
Do the authorizations need help from command line tools? Yes.
If you examine /etc/security/exec_attr you will see listings for 'Device Management.' Listed there are the actual commands that can be run as well as how they will be run by anyone having those authorizations or the Profile for 'Device Management.'
Conclusion
Like anything new getting used to RBAC can take a little time but in the long run it will solve problems that are not easily solved by setting UNIX permissions. It also can augment or replace other programs that provide similar services.
Next Section: Example One - RBAC with su - 6 of 7