How To Create Custom Roles Using RBAC
(Doc ID 1010196.1)
Last updated on DECEMBER 18, 2023
Applies to:
Solaris Operating System - Version 8 and laterAll Platforms
Goal
This article details how to customize RBAC.
Role Based Access Control (RBAC) allows root to delegate specific superuser privileges without sharing all root's powers. By default, RBAC is ready-to-go in Solaris 8 (and greater) Operating System. Using it is simply a matter of creating a special user account and mapping commands (or command sets) to it. root authorizes trusted users to assume the role's identity (via /usr/bin/su) and execute any/all superuser commands mapped to it.
For instance, arbitrary role account "test" could be mapped to pre-defined profiles in /etc/security/exec_attr, such as the command /usr/sbin/ifconfig. To allow trusted non-root user <FirstName LastName> (<username>) to run ifconfig, root would grant <username> 'su' (/usr/bin/su) rights to role "test".
Once done, user <username> could 'su' into role "test" and execute the profile /usr/sbin/ifconfig, which is normally restricted to 'root'. Since "test" maps only to 'ifconfig', attempts execute other privileged commands, such as a /usr/sbin/shutdown, will fail.
For Solaris 11.x RBAC (Assigning Rights to Users and Roles) see https://docs.oracle.com/cd/E37838_01/html/E61023/rbactask-assignrights-1.html.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |