sun.com   |  docs.sun.com
How To Buy  |   My Sun  |   Worldwide Sites
        
 
Sun Microsystems
 Products & Services
 		 Support & Training
 
 
Sun Cluster System Administration Guide for Solaris OS >> 2.  Sun Cluster and RBAC >> Creating and Assigning an RBAC Role With a Sun Cluster Management Rights Profile 

Previous Previous     Contents     Index     Next Next

Example 2-1 Creating a Custom Operator Role by Using the smrole Command

The following sequence demonstrates how a role is created with the smrole command. In this example, a new version of the Operator role is created that has assigned to it the standard Operator rights profile and the Media Restore rights profile. 

% su primaryadmin 
# /usr/sadm/bin/smrole add -H myHost -- -c "Custom Operator" -n oper2 -a johnDoe \
-d /export/home/oper2 -F "Backup/Restore Operator" -p "Operator" -p "Media Restore"
Authenticating as user: primaryadmin

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <type primaryadmin password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadmin was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password ::<type oper2 password>

# /etc/init.d/nscd stop
# /etc/init.d/nscd start

To view the newly created role (and any other roles), use smrole with the list option, as follows:

# /usr/sadm/bin/smrole list --
Authenticating as user: primaryadmin

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <type  primaryadmin password>

Loading Tool: com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost
Login to myHost as user primaryadmin was successful.
Download of com.sun.admin.usermgr.cli.role.UserMgrRoleCli from myHost was successful.
root                    0               Super-User
primaryadmin            100             Most powerful role
sysadmin                101             Performs non-security admin tasks
oper2                   102             Custom Operator

Modifying a User's RBAC Properties

To modify a user's properties, you must either be running the User Tool Collection as root user or assume a role that has the Primary Administrator rights profile assigned to it.

ProcedureHow to Modify a User's RBAC Properties by Using the User Accounts Tool

  1. Start the User Accounts tool.

    To run the User Accounts tool, you need to start the Solaris Management Console, as described in "How to Assume a Role in the Console Tools" in System Administration Guide: Security Services. Then, open the User Tool Collection, and click the User Accounts icon.

    After the User Accounts tool starts, the icons for the existing user accounts are displayed in the view pane.

  2. Click the user account icon to be changed and select Properties from the Action menu (or simply double-click the user account icon).

  3. Click the appropriate tab in the dialog box for the property to be changed, as follows:

    • To change the roles that are assigned to the user, click the Roles tab and move the role assignment to be changed to the appropriate column: Available Roles or Assigned Roles.

    • To change the rights profiles that are assigned to the user, click the Rights tab and move it to the appropriate column: Available Rights or Assigned Rights.

      Note - It is not good practice to assign rights profiles directly to users. The preferred approach is to force users to assume roles in order to perform privileged applications. This strategy avoids the possibility of normal users abusing privileges.

ProcedureHow to Modify a User's RBAC Properties From the Command Line

  1. Become superuser or assume a role that can modify user files.

  2. Use the appropriate command:

    • To change the authorizations, roles, or rights profiles that are assigned to a user who is defined in the local scope, use the usermod(1M) command.

    • Alternatively, to change the authorizations, roles, or rights profiles that are assigned to a user who is defined in the local scope, edit the user_attr file.

      This method is recommended for emergencies only, as it is easy to make a mistake while you are typing.

    • To change the authorizations, roles, or rights profiles that are assigned to a user who is defined in a name service, use the smuser(1M) command.

      This command requires authentication as superuser or as a role that is capable of changing user files. You can apply smuser to all name services. smuser runs as a client of the Solaris Management Console server.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2004 Sun Microsystems