No one is allowed to log onto a system by using a role account. A role is created in a similar fashion to a normal user account. It has all the attributes that a normal user account has. If you decide that you want to temporarily suspend a role simply change the password on the role account and don't give anyone the new password. When you're ready to resume the role either reset the password to what it was or assign a new one and let the users know what it is. This does not apply if you attach the role directly to a user account or if you allow uses to use their existing passwords.

The following are the commands and some of the authorizations that are used to create and manage roles:

add_drv -p policy driver add_drv
allocate
at
atq
auths
cdrw
crontab
deallocate
devfsadm
dminfo
/etc/nsswitch.conf
getdevpolicy
list_devices
nscd
pam_roles
pfexec
policy.conf
ppriv
ppriv -eD failed-operation
ppriv -l
ppriv -lv priv
ppriv -s spec
ppriv -v pid
privileges
profiles
roles
roleadd
roledel
rolemod
sendmail solaris.mail
solaris.account.setpolicy
solaris.device.allocate
solaris.device.cdrw
solaris.device.config
solaris.device.grant
solaris.device.mount.alloptions.fixed
solaris.device.mount.alloptions.removable
solaris.device.mount.fixed
solaris.device.mount.removable
solaris.device.revoke
solaris.jobs.admin
solaris.mail.mailq
userattr
useradd
userdel
usermod
update_drv -p policy driver update_drv

To create a role use the following roleadd command:

roleadd -c comment -d home dir -e expire -f inactive -g group -G group -m -u uid -s shell -A authorization -P profile role

Those familiar with useradd will have no problem with this command. The -m switch creates the home directory if it does not already exist. Make sure that you remember to use pfsh, pfksh, or pfcsh for the shell. Before assigning an authorization or profile they must exist in auth_attr or prof_attr respectively. The role account has the same restrictions as a user account in terms of length and other attributes.

To modify a role you use the rolemod command. This command is analogous to the usermod command and follows the same format:

rolemod -u uid -g group -G group -d dir -m -s shell -c comment -l new_name -f inactive -e expire -A authorization -P profile role

Finally, to remove a role use the roledel command as follows:

roledel -r role

As with userdel, the -r switch removes the home directory.

If you want to see a list of profiles that you currently belong to use the 'profiles' command:

profiles -l user

Using the -l switch allows you to see which commands are associated with the profile as well as the special attributes such as uid or gid of the command. If you want to see the profiles assigned to a particular user then specify the user's name as part of the command.

The useradd and usermod commands have been updated with additional switches. This includes the -A and -P options which assign authorizations and profiles to the user. They have also added the -R option to assign roles to a user.

Sometimes when you add or modify a role/profile the role/profile won't take effect right away. The reason that it may not take effect immediately could be the name server cache daemon. If you make changes and they aren't showing up you may need to stop and then restart this daemon. To do this issue the following command:

svcadm restart system/name-service-cache

RBAC uses the /etc/nsswitch.conf file. Be sure to check the entries in this file to ensure that you're reading the right set of files.

And finally:

Do authorizations need help from command line tools? Depends on the authorization.

Conclusion

Like anything new getting used to RBAC can take a little time but in the long run it will solve problems that are not easily solved by setting UNIX permissions. It also can augment or replace other programs that provide similar services.

Next Section: Example One - RBAC with su - 9 of 10