Rights Profiles for Users and Roles

Both normal users and roles need to have right profiles assigned in order to be able to use any commands or actions. Roles need profiles to perform administrative tasks.

Users' Default Rights Profiles

The Basic Solaris User profile is assigned by default to all users and roles in the policy.conf(4) file. The Basic Solaris User profile allows the user to enter all commands, to manage that user's own cron(1) and at(1) jobs, to launch the Solaris Management Console (SMC), and to view the settings in the SMC tools.

Roles' Rights Profiles

As described in Rights of Users and Roles, the root role is assigned a number of profiles in the each default local user_attr file. The following tables list the nested supplementary rights profiles that are in the default rights profiles assigned to the four recommended roles.

Primary Administrator Profile

Privileged Shells
All Solaris Authorizations

Information Security Profile

Device Security
File System Security
Name Service Security
Network Security
Object Access Management
Object Label Management
Remote Administration

Rights Security Profile

Custom Secadmin Role
Audit Control
Object Privilege Management
Remote Administration
Rights_Delegation
User Security

System Administrator Profile

Audit Review
Cron Management
Device Management
File System Management
Mail Management
Maintenance and Repair
Media Backup
Media Restore
Name Service Management
Network Management
Object Access Management
Printer Management
Process Management
Software Installation
User Management
 

Operator Profile

Media Backup
Printer Management

Descriptions of Rights Nested in Role Profiles

See /usr/lib/help/profiles/locale/C/index.html for the definitions for these and other default profiles.
Name Description Notes
All Execute any command as the user or role For allowing the use of any command when working in a profile shell. All roles have this rights profile, which has a wild card entry (*) matching every command. No special process attributes are associated with the wild card, so when the All profile is assigned, all commands that are not explicitly listed in another assigned rights profile run with the uid, gid, label, and clearance of the current user (or role) and with no privileges.

This right should always be last in the list of rights. If it is first, no other rights are consulted when looking up command or action attributes.

Audit Control Configure BSM auditing For managing the audit subsystem (which can be used to keep an audit trail of activities on the system). For the reviewing of audit trail files, see Audit Review.
Audit Review Review BSM auditing logs For reviewing of the audit trail. For managing the audit subsystem see Audit Control.
Basic Solaris User Default set of authorizations and rights Assigned by default in the /etc/security/policy.conf file, this right allows the user to bring up the SMC and view information in the SMC tools. It also allows users to add cron jobs to their own crontab file.
Cron Management Manage at and cron jobs For managing cron(1) and at(1) jobs to schedule repetitive system events based on commands found in crontab and atjob files.
Custom Admin Role Modify this rights profile to customize the System Administrator role.  
Custom Oper Role Modify this rights profile to customize the Operator role.

This profile should be assigned to the Operator Profile. Any changes to the Operator role should be made to this profile, for ease in debugging potential problems.

Custom Primaryadmin Role Modify this rights profile to customize the Primary Administrator role.

This profile does not exist by default. It should be created following the model of the other Custom Profiles and added to the Primary Administrator profile. Any changes to the Primary Administrator role should be made to this profile, for ease in debugging potential problems.

Custom Root Role Modify this rights profile to customize the root role.

This profile should be assigned to the root role. Any changes to the root role should be made to this profile, for ease in debugging potential problems.

Custom Secadmin Role Modify this rights profile to customize the Security Administrator role.

This profile should be assigned to the Security Administrator Profile. Any changes to the Security Administrator role should be made to this profile, for ease in debugging potential problems.

Custom Admin Role Modify this rights profile to customize the System Administrator role.

This profile should be assigned to the System Administrator Profile. Any changes to the System Administrator role should be made to this profile, for ease in debugging potential problems.

Device Management Control Access to Removable Media For permitting the allocation and deallocation of devices (allocation restricts access to certain devices such as tape drives, disk drives, printers and other peripherals to one user at a time), and the correction of error conditions related device allocation.
Device Security Manage devices and Volume Manager Allows the management and configuration of devices and of the volume manager (which manages virtual disk devices).
File System Management Manage, mount, share file systems  
File System Security Manage file system security attributes  
Mail Management Manage sendmail and mail queues  
Maintenance and Repair Maintain and repair a system Use commands for maintaining or repairing the system.
Media Backup Backup files and file systems For backing up files. For restoring files, see Media Restore.
Media Restore Restore files and file systems from backups For restoring backed-up files. For backing up files, see Media Backup.
Name Service Management Non-security name service scripts/commands For controlling name service daemons and managing non-security-relevant databases.
Name Service Security Security related name service scripts/commands For managing security-relevant databases.
Network Management Manage host and network configuration For configuring hosts and networks. For assigning security attributes to networks and hosts, see Network Security.
Network Security Manage network and host security For managing network and host security, with authorizations for modifying trusted network databases.
Object Access Management Change ownership and permission on files  
Object Label Management Change labels on files  
Object Privilege Management Manage privileges  
Printer Management Manage printers, daemons, spooling  
Privileged Shells Run Bourne, Korn, and C Shell with all privileges  
Process Management Manage current processes and processors  
Remote Administration Remote Administration of Headless Systems    
Rights Delegation Delegate ability to assign rights to users and roles For assigning roles to users and rights profiles to roles, to users, and to other rights profiles. A user or role with this rights profile can only:
  • Assign a role to other users if the role is assigned to the account doing the granting
  • Assign a rights profiles to a user, a role, or other rights profile if the right is assigned to the account doing the granting
Software Installation Add application software to the system  
User Management Manage users, groups, home directory For creating user and role accounts and specifying non-security-related attributes. Does not grant either the ability to modify itself (as a security measure) or the right to modify users' security attributes (see User Security).
User Security Manage users' security attributes (such as passwords, roles, rights, label view, label ranges) Does not grant the right to create users and specify non-security-related attributes for users (see User Management).