Getting Started With OpenSolaris 2009.06
Previous Next

Document Information

Preface

1.  Exploring OpenSolaris

2.  Preparing to Install OpenSolaris 2009.06

3.  Installing the OpenSolaris 2009.06 Operating System

4.  Verifying and Finalizing Your Installed System

5.  Understanding Users and Roles

User Accounts and Roles

How User Accounts Are Set Up

Related Information

6.  Managing System Services

7.  Setting Up Your Application Development Environment

8.  Keeping Your System Up-To-Date

A.  Troubleshooting the OpenSolaris 2009.06 Release

B.  Managing the GRUB Menu in a Multiboot Environment

Index

User Accounts and Roles

The assignment of user accounts and roles in the OpenSolaris operating system conforms to Role-Based Access Control (RBAC) specifications. RBAC provides a more secure alternative to the all-or-nothing superuser model. RBAC uses the security principle of least privilege, meaning a user has precisely the amount of privilege that is necessary to perform a specific job. Capabilities that are beyond ordinary user capabilities are grouped together into profiles. These profiles are assigned to special user accounts, called roles. A user assumes a role to do a job that requires some of superuser's capabilities. In the OpenSolaris release, the root user is a role.

Profiles and roles differ in the following ways:

  • Profiles are included in the OpenSolaris software, while roles are not.

  • Profiles are named so that they can be associated with a role that the system administrator creates with the same name.

  • Profiles are hierarchical, meaning a profile can include another profile.

    For example, if a role is assigned a profile that contains other profiles, that role includes all of those profiles.

To better understand the purpose and function of user accounts and roles in the OpenSolaris operating system, review the following information:

  • A role is a user account that cannot be logged in to directly, for example the root role. You must use the su command to assume a role. Also, you can only assume roles that are assigned to your login account.

  • The profiles that are included in the OpenSolaris software are predefined. A profile is an attribute that can be assigned to a user account. These profiles are listed in the /etc/security/prof_attr file. If your login has the Primary Administrator profile, for example, you can use the pfexec command or one of the profile shells, such as pfcsh, to run a command with the authorizations that are associated with that profile. The Primary Administrator profile has all authorizations assigned to it, so the profile is effectively the same as assuming the root role on a system. The user account that is created during the OpenSolaris installation has the Primary Administrator profile assigned to it.

    Note - The Primary Administrator profile does not have zfssnap role assigned to it by default. This role is required to change the behavior of the Time Slider feature from the desktop. See How to Add the zfssnap Role to the Default User Account.

  • In the OpenSolaris operating system, the pfexec command is used for running commands in a privileged shell. The pfexec utility executes commands with predefined attributes that the system administrator specifies in user profiles. When you run commands using the pfexec command, you essentially have the same privileges as those associated with the Primary Administrator profile. However, for convenience, you may choose to assume the root role if you have a number of privileged tasks to execute, rather than use the pfexec command for each task. For more information, see the pfexec(1M) man page.

Assigning Roles to User Accounts

Roles and profiles can be assigned to user accounts from the desktop or by using the command line. You can individually assign as many profiles as you want to one role. You might want to assign a name to the role that reflects the different profiles that are associated with that role.

  • To determine which roles are assigned to your user account, open a terminal window and type:

    $ roles

  • To assign a role from the desktop, choose System > Administration > Users and Groups > Users > Properties > User Roles.

    For an example of how to assign a role from the desktop, see How to Add the zfssnap Role to the Default User Account.

  • To assign a role by using the command line, use the roleadd command.

    For more information, see the roleadd(1M) man page.
Previous Next