Introducing the Component Interaction Within RBAC
Configuring Role-Based Access Control (RBAC) 11-13
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Figure 11-6 shows one relationship between the
/etc/security/prof_attr and the /etc/user_attr databases. The
Printer Management profile, which is defined in the
/etc/security/prof_attr database, is assigned to the sysadmin role in
the /etc/user_attr database.
Figure 11-6 User and Profile Association
Figure 11-7 shows the relationship between the
/etc/security/prof_attr and the /etc/security/auth_attr
databases. The Printer Management profile is defined in the
/etc/security/prof_attr database as having all authorizations,
beginning with the solaris.admin.printer. string, assigned to it.
These authorizations are defined in the /etc/security/auth_attr
database.
Figure 11-7 Profile and Authorization Association
Introducing the Component Interaction Within RBAC
11-14 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The /etc/security/exec_attr Database
The /etc/security/exec_attr database holds the execution attributes.
An execution attribute associated with a profile is a command or a script
that contains a command with options (because the only way to add
options to a command is by using a script). Only the users and roles
assigned to this profile can run the command with special security
attributes. Special security attributes refer to attributes, such as UID,
EUID, GID, and EGID, that can be added to a process when the command
is run. The definitions of the execution attributes are stored in the
/etc/security/exec_attr database. Figure 11-8 shows the
/etc/security/exec_attr database.

Figure 11-8 The exec_attr Database
The fields in the /etc/security/exec_attr database are separated by
colons:
name
:
policy
:
type
:
res1
:
res2
:
id
:
attr
where:
name
The name of the profile. Profile names are case sensitive.
policy
The security policy associated with this entry. The suser
(superuser policy model) is the only valid policy entry.
type
The type of entity whose attributes are specified. The
only valid type is cmd (command).
res1
Reserved for future use.
res2
Reserved for future use.
Introducing the Component Interaction Within RBAC

Configuring Role-Based Access Control (RBAC) 11-15
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The following example is part of a /etc/security/exec_attr database
with some typical values:

Printer Management:suser:cmd:::/usr/sbin/accept:euid=lp
Printer Management:suser:cmd:::/usr/ucb/lpq:euid=0
Printer Management:suser:cmd:::/etc/init.d/lp:euid=0
Printer Management:suser:cmd:::/usr/bin/lpstat:euid=0
Printer Management:suser:cmd:::/usr/lib/lp/lpsched:uid=0

id
A string identifying the entity. You can use the asterisk
(*) wildcard. Commands should have the full path or a
path with a wildcard. To specify arguments, write a
script with the arguments, and point the
id
to the script.
attr
An optional list of key-value pairs that describes the
security attributes to apply to the entity when executed.
You can specify zero or more keys. The list of valid key
words depends on the policy being enforced. There are
four valid keys: euid, uid, egid, and gid.
• euid and uid – Contain a single user name or a
numeric user ID. Commands designated with euid
run with the effective UID indicated, which is similar
to setting the setuid bit on an executable file.
Commands designated with uid run with both the
real and effective UIDs set to the UID you specify.

• egid and gid – Contain a single group name or
numeric group ID. Commands designated with egid
run with the effective GID indicated, which is similar
to setting the setgid bit on an executable file.
Commands designated with gid run with both the
real and effective GIDs set to the GID you specify.
Introducing the Component Interaction Within RBAC
11-16 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Figure 11-9 shows the relationship between the
/etc/security/exec_attr and /etc/security/prof_attr databases.
Figure 11-9 Profile and Execution Association
The Printer Management profile lists execution attributes (or
commands) with the appropriate security attributes assigned in the
/etc/security/exec_attr database.
Introducing the Component Interaction Within RBAC
Configuring Role-Based Access Control (RBAC) 11-17
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The /etc/security/auth_attr Database
An authorization is an RBAC feature that grants access to restricted
functions. It identifies, by a unique string, what is being authorized, as
well as who created the authorization.
You cannot create new authorizations. However, system programmers can
create and assign authorizations to applications.
Certain privileged programs check authorizations to determine whether
users can execute restricted functionality. For example, the
solaris.jobs.admin authorization is required for a user to edit another
user’s crontab file.
All authorizations are stored in the /etc/security/auth_attr database.
You can assign authorizations directly to users or roles in the

/etc/user_attr database. You can also assign authorizations to rights
profiles, which are assigned to roles.
Figure 11-10 shows the /etc/security/auth_attr database.
Figure 11-10 The auth_attr Database
Introducing the Component Interaction Within RBAC
11-18 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The fields in the /etc/security/auth_attr database are separated by
colons, as follows:
authname
:
res1
:
res2
:
short_desc
:
long_desc
:
attr
where:
authname
A unique character string that identifies the authorization in the
prefix.suffix[.]
format. Authorizations for the Solaris OE use
solaris as a prefix. All other authorizations use a prefix that
begins with the reverse-order Internet domain name of the
organization that creates the authorization (for example,
com.xyzcompany). The suffix indicates what is being authorized,
typically the functional area and operation.

When there is no suffix (that is, the
authname
consists of a prefix,
a functional area, and ends with a period), the
authname
serves as
a heading for use by applications in their GUI rather than as an
authorization. The
authname
solaris.printmgr. is an example
of a heading.
When
authname
ends with the word grant, the
authname
serves
as a grant authorization and lets the user delegate related
authorizations (that is, authorizations with the same prefix and
functional area) to other users. The
authname
solaris.printmgr.grant is an example of a grant
authorization. It gives the user the right to delegate such
authorizations as solaris.printmgr.admin and
solaris.printmgr.nobanner to other users.
res1
Reserved for future use.
res2
Reserved for future use.
short_desc
A concise name for the authorization that is suitable for

displaying in user interfaces.
long_desc
A long description. This field identifies the purpose of the
authorization, the applications in which it is used, and the type of
user who wants to use it. The long description can be displayed in
the help text of an application.
attr
An optional list of key-value pairs that describes the attributes of
an authorization. There can be zero or more keys. For example,
the keyword help identifies a help file.
Introducing the Component Interaction Within RBAC
Configuring Role-Based Access Control (RBAC) 11-19
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The following is an example of an /etc/security/auth_attr database,
with some typical values:
solaris.*:::Primary Administrator::help=PriAdmin.html
solaris.grant:::Grant All Rights::help=PriAdmin.html

solaris.device.:::Device Allocation::help=DevAllocHeader.html
solaris.device.allocate:::Allocate Device::help=DevAllocate.html
solaris.device.config:::Configure Device Attributes::help=DevConfig.html
solaris.device.grant:::Delegate Device Administration::help=DevGrant.html
solaris.device.revoke:::Revoke or Reclaim Device::help=DevRevoke.html
Note – The solaris.device. entry is defined as a heading, because it
ends in a dot (.). Headings are used by the GUI to organize families of
authorizations.
Figure 11-11 shows the relationship between the
/etc/security/auth_attr and the /etc/user_attr databases. The
solaris.system.date authorization, which is defined in the
/etc/security/auth_attr database, is assigned to the user johndoe in

the /etc/user_attr database.
Figure 11-11 User, Role, and Authorization Association
Introducing the Component Interaction Within RBAC
11-20 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Relationships Between the Four RBAC Databases
Figure 11-12 shows how the fields of the four databases are related.
Figure 11-12 Relationship Between the Four RBAC Databases
Introducing the Component Interaction Within RBAC
Configuring Role-Based Access Control (RBAC) 11-21
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The /etc/security/policy.conf File
The /etc/security/policy.conf file lets you grant specific rights
profiles and authorizations to all users. The two types of entries in the file
consist of key-value pairs, as follows:
● AUTHS_GRANTED=
authorizations
, where
authorizations
refers to
one or more authorizations
● PROFS_GRANTED=
right_profiles
, where
right_profiles
refers to
one or more rights profiles
Some typical values from an /etc/security/policy.conf file are
shown in the following example.
# cat policy.conf

#
# Copyright (c) 1999-2001 by Sun Microsystems, Inc. All rights reserved.
#
# /etc/security/policy.conf
#
# security policy configuration for user attributes. see policy.conf(4)
#
#ident "@(#)policy.conf 1.5 01/03/26 SMI"
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
The solaris.device.cdrw authorization provides access to the cdrw
command.
# grep ’solaris.device.cdrw’ /etc/security/auth_attr
solaris.device.cdrw:::CD-R/RW Recording Authorizations::help=DevCDRW.html
Introducing the Component Interaction Within RBAC
11-22 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The Basic Solaris User profile grants users access to all listed
authorizations. The profiles=All field grants unrestricted access to all
Solaris OE commands that have not been restricted by a definition in a
previously listed authorization.
# grep ’Basic Solaris User’ /etc/security/prof_attr
Basic Solaris User:::Automatically assigned rights:
auths=solaris.profmgr.read,solaris.jobs.users,solaris.mail.mailq,
solaris.admin.usermgr.read,solaris.admin.logsvc.read,
solaris.admin.fsmgr.read,solaris.admin.serialmgr.read,
solaris.admin.diskmgr.read,solaris.admin.procmgr.user,
solaris.compsys.read,solaris.admin.printer.read,
solaris.admin.prodreg.read,solaris.admin.dcmgr.read,

solaris.snmp.read,solaris.project.read,solaris.admin.patchmgr.read,
solaris.network.hosts.read,solaris.admin.volmgr.read;profiles=All;
help=RtDefault.html
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-23
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Managing RBAC
You can configure RBAC features using the Solaris Management Console
or the command line.
Managing RBAC Using the Solaris Management
Console
The Solaris Management Console 2.1 in the Solaris 9 OE enables you to
configure RBAC features using a GUI console. The GUI provides a
point-and-click method of configuring RBAC rights and roles. The GUI
wizards prompt you for any necessary configuration parameters.
Note – Using the GUI assumes knowledge of the underlying
dependencies that are built into the RBAC feature.
Fundamentals of Managing RBAC
To set up privileged access using the RBAC GUI, follow these steps:
1. Build the user accounts that will be assigned the RBAC rights.
Note – Step 1 is not required if the designated rights and roles are being
made available to existing users.
2. Build the rights profiles needed to support the superuser access
requirements.
3. Build the role that will provide access to the rights profiles for
designated users.
Managing RBAC
11-24 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The following example grants an ordinary user access to administrative

rights for package commands that require superuser access:
Figure 11-13 shows that access to the RBAC features begins with the
Solaris Management Console.
Figure 11-13 Solaris Management Console 2.1 – Users Window
To access RBAC features, perform the following steps:
1. Select Management Tools.
2. Click This Computer.
3. Click System Configuration
4. Double-click the Users icon.
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-25
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
5. Log in as root, as shown in the Log In: User Name Window in
Figure 11-14.
Figure 11-14 Log In: User Name Window
From this login, you have the necessary permissions to set up users,
work with name services, and assign rights and roles to other users.
Note – After other users have been granted the necessary access
permissions, you can log in with those user login names on subsequent
sessions.
Managing RBAC
11-26 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
After you log in, the View pane displays the set of tools used to
perform traditional user administration tasks and the RBAC tasks, as
shown in Figure 11-15.
Figure 11-15 Solaris Management Console 2.1 – Users Tools
Window
Table 11-4 defines the tools in the Users toolbox.
Table 11-4 Users Tools

Title Description
User Accounts Add (or modify) user accounts in several ways:
individually, in multiples, or starting from a
template.
User Templates Create a template. If you need to create multiple
users with similar attributes, you can first create a
template for that type of user.
Rights Configure a named collection that includes three
components: commands, authorizations, and
other previously created rights.
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-27
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
6. Double-click the User Accounts icon to select the User Accounts
functions.
The existing users appear in the View pane, as shown in
Figure 11-16.
Figure 11-16 Solaris Management Console 2.1 – User Accounts
Window
Administrative
Roles
Configure a user account with a specific set of
administrative rights. You must use the su
command to access a role, because you cannot log
in to a role.
Groups Manage access to groups.
Mailing Lists Add a new mailing list. You can also use this tool
to view, add, or delete recipients in a mailing list.
Table 11-4 Users Tools (Continued)
Title Description

Managing RBAC
11-28 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Building User Accounts
You can build a new user account that will be assigned access to all the
package administration commands. Perform the following steps:
1. Select Add User from the Action menu, as shown in Figure 11-17.
Figure 11-17 Action Menu – Add User
2. Select With Wizard from the Add User submenu.
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-29
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Note – The Add User Wizard works the same as the useradd command
and earlier GUI tools, such as AdminTool.
The Add User Wizard – Step 1 window appears, as shown in
Figure 11-18.
Figure 11-18 Add User Wizard – Step 1 Window
3. Enter the following information:
4. Click Next to continue.
The user ID number is the user’s unique numerical ID for the
system. The displayed number is the next available UID for the
system. If this user account is accessible across multiple standalone
systems, the UID should remain consistent to avoid file ownership
problems between those systems.
User Name The login name for this user account. Enter user1 as
the user name.
Full Name A descriptive entry identifying the owner of this
account. Enter RBAC user1 as the full name.
Description Similar to the full name, this field further identifies
the owner of this account. This entry populates the

gecos field in the /etc/passwd file. Enter Added
user for RBAC as the description.
Managing RBAC
11-30 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
5. Accept the default user ID number, as shown in the Add User
Wizard – Step 2 window in Figure 11-19.
Figure 11-19 Add User Wizard – Step 2 Window
6. Click Next to continue.
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-31
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
There are two password options in the Add User Wizard – Step 3
window, as shown in Figure 11-20. With the first option, the new
user will be prompted to set the password when logging in for the
first time. Alternatively, with the second option, you can
immediately assign the account password.
Figure 11-20 Add User Wizard – Step 3 Window
7. Enter and confirm 123pass as the password, as shown in
Figure 11-20.
8. Click Next to continue.
Managing RBAC
11-32 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Group membership allows this user to share access permissions with
other users within the same group, as shown in the Add User
Wizard – Step 4 window in Figure 11-21. You can add this user to
additional groups’ common characteristics after account creation.
Each user can belong to 15 additional groups that are also known as
secondary groups.

9. When prompted with a choice for the new user’s primary group
membership, accept the default group assignment, as shown in
Figure 11-21.
Figure 11-21 Add User Wizard – Step 4 Window
10. Click Next to continue.
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-33
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
The home directory path defines where this user’s personal files are
stored, as shown in the Add User Wizard – Step 5 window in
Figure 11-22. When the account is created, the new user name
appends to the home directory path that is defined in this field. For
example, if this user is named user1, then the home directory
becomes /export/home/user1.
Figure 11-22 Add User Wizard – Step 5 Window
11. Enter the name of the directory in which the user’s home directory
will be created (/export/home), as shown in Figure 11-22.
12. Click Next to continue.
Managing RBAC
11-34 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
When you create a new user account, it is customary to also create a
mail account, as shown in the Add User Wizard – Step 6 window in
Figure 11-23. You provide the user with a mailbox that is a file on the
mail server (also known as the inbox) that holds all newly received
mail.
Figure 11-23 Add User Wizard – Step 6 Window
13. Click Next to accept the defaults, as shown in Figure 11-23.
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-35

Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
14. Check each field for inadvertent errors, as shown in the Add User
Wizard – Step 7 window in Figure 11-24. If you see any errors, step
back through the windows to correct them, and then step forward
again to the confirmation window.
Figure 11-24 Add User Wizard – Review Window
15. When you are satisfied with the field inputs, click Finish to complete
building the new user account.
Managing RBAC
11-36 Advanced System Administration for the Solaris™ 9 Operating Environment
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
After the new account is created, you are returned to the Solaris
Management Console Window, which displays the new account, as
shown in Figure 11-25.
Figure 11-25 Solaris Management Console 2.1 – User Accounts
Window
To test the user account, perform the following steps:
1. Log in with the user name that was just created.
Note – The host name in this example is sys44, and the user name is
user1.
# telnet sys44
Trying 127.0.0.1
Connected to sys44.
Escape character is ’^]’.
SunOS 5.9
login: user1
Password:
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
Managing RBAC
Configuring Role-Based Access Control (RBAC) 11-37

Copyright 2002 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2. Execute a few commands to verify that the new account functions as
created.
$ who
root console Feb 28 13:45 (:0)
root pts/4 Mar 2 09:29 (:0.0)
user1 pts/5 Mar 6 14:32 (sys44)
$ id
uid=4001(user1) gid=10(staff)
$ ls -a
. .cshrc .login .profile
$
3. Now that you have verified that the basic Solaris OE commands are
functioning within the new user account, try executing more
specialized commands within this account. Use the pkginfo
(package information) command and the pkgrm (package removal)
command. These examples use the SUNWpppg package.
$ pkginfo -l SUNWpppg
PKGINST: SUNWpppg
NAME: GNU utilities for PPP
CATEGORY: system
ARCH: sparc
VERSION: 11.9.0,REV=2002.02.12.18.33
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Optional GNU utilities for use with PPP
PSTAMP: crash20020212184313
INSTDATE: Feb 28 2002 08:32
HOTLINE: Please contact your local service provider
STATUS: completely installed

FILES: 12 installed pathnames
8 shared pathnames
8 directories
3 executables
146 blocks used (approx)
$ pkgrm SUNWpppg
pkgrm: not found