Role-Based Access Control (Reference)

This chapter provides additional information that supplements Chapter 5, Role-Based Access Control (Overview).

The following is a list of the reference information in this chapter:

• Configuring Recommended Roles

• Contents of Rights Profiles

• Authorizations

• RBAC Database Relationships

• The user_attr Database

• The auth_attr Database

• The prof_attr Database

• The exec_attr Database

• Command-Line Applications for Managing RBAC

• Commands That Require Authorizations

For information on RBAC tasks, see Chapter 6, Role-Based Access Control (Tasks).

RBAC Elements: Reference Information

This section describes the role-based access control (RBAC) elements in detail.

Configuring Recommended Roles

No predefined roles are shipped with the Solaris 9 software. Management at a customer site must decide what types of roles should be set up. However, three recommended roles can be readily configured by assigning the appropriate predefined rights profile to the corresponding roles:

• Primary Administrator rights profile - For creating a role that can perform all administrative tasks, granting rights to others, and editing rights that are associated with administrative roles. A user in this role can assign the Primary Administrator role and the ability to grant rights to other users.

• System Administrator rights profile - For creating a role that can perform most nonsecurity administrative tasks. For example, the System Administrator can add new user accounts, but cannot set passwords or grant rights to other users.

• Operator rights profile - For creating a role that can perform simple administrative tasks, such as backup and restore, and printer maintenance.

These rights profiles enable administrators to configure the suggested roles by using a single rights profile instead of having to mix and match rights profiles.

Those sites that customize roles should closely check the order of the rights profiles that are assigned to the role. The system does not prevent someone from typing multiple occurrences of the same command. The attributes that are assigned to the first occurrence of a command in a rights profile take precedence and all subsequent occurrences are ignored.

Note - You can also set up root as a role through a manual process. This method prevents users from logging in directly as root, forcing them to log in as themselves first. See Making Root a Role.

Contents of Rights Profiles

This section describes some typical rights profiles.

• The All rights profile provides role access to commands without security attributes.

• The Primary Administrator rights profile is designed specifically for the Primary Administrator role. The Primary Administrator rights profile allows the use of wildcards.

• The System Administrator rights profile is designed specifically for the System Administrator role. The System Administrator rights profile uses discrete supplementary profiles to create a powerful role.

• The Operator rights profile is designed specifically for the Operator role. The Operator rights profile uses a few discrete supplementary profiles to create a simple role.

• The Basic Solaris User rights profile shows how the policy.conf file can be used to assign tasks to users that are not related to security.

• The Printer Management rights profile exemplifies a profile that is dedicated to a single area of administration.

The tables in the following sections show the purpose and the contents of these rights profiles, including the commands, authorizations, supplementary rights, rights profiles, and associated help files.

Help files are in HTML and can be readily customized, if required. These files reside in the /usr/lib/help/auths/locale/C directory.

The Solaris Management Console Rights tool provides another way of inspecting the contents of the rights profiles.

All Rights Profile

The All rights profile uses the wildcard to include all commands, except for those commands without security attributes. This rights profile provides a role with access to all commands that are not explicitly assigned in other rights profiles. Without the All rights profile or some other rights profiles that use wildcards, a role has access to explicitly assigned commands only, which is not very practical.

Because commands in rights profiles are interpreted in the order in which they occur, any wildcard settings should be positioned last so that explicit attribute assignments are not inadvertently overridden. The All rights profile, if used, should be the final rights profile that is assigned.

Table 7-1 Contents of All Rights Profile

Primary Administrator Rights Profile

The Primary Administrator rights profile is assigned the most powerful role on the system, effectively providing that role with superuser capabilities.

• The solaris.* authorization effectively assigns all of the authorizations that are provided by the Solaris software.

• The solaris.grant authorization lets a role assign any authorization to any rights profile, role, or user.

• The command assignment *:uid=0;gid=0 provides the ability to run any command with UID=0 and GID=0.

The help file RtPriAdmin.html is identified so that a site can modify it if necessary. Help files are stored in the /usr/lib/help/auths/locale/C directory.

Note also that if the Primary Administrator rights profile is not consistent with a site's security policy, it can be modified or not assigned at all. However, the security capabilities in the Primary Administrator rights profile would need to be handled in one or more other rights profiles.

Table 7-2 Contents of Primary Administrator Rights Profile