How To Create Custom Roles Using Based Access Control (RBAC)

(Doc ID 1010196.1)

Last updated on AUGUST 01, 2016

Applies to:

Solaris Operating System - Version 8.0 and later
All Platforms

Goal

This article details how to customize RBAC.

Role Based Access Control (RBAC) allows root to delegate specific superuser privileges without sharing all root's powers.  By default, RBAC is ready-to-go in Solaris 8 (and greater) Operating System. Using it is simply a matter of creating a special user account and mapping commands (or command sets) to it. root authorizes trusted users to assume the role's identity (via /usr/bin/su) and execute any/all superuser commands mapped to it.

For instance, arbitrary role account "test" could be mapped to pre-defined profiles in /etc/security/exec_attr, such as the command /usr/sbin/ifconfig. To allow trusted non-root user John Doe (jdoe) to run ifconfig, root would grant jdoe 'su' (/usr/bin/su) rights to role "test".

Once done, user jdoe could 'su' into role "test" and execute the profile /usr/sbin/ifconfig, which is normally restricted to 'root'. Since "test" maps only to 'ifconfig', attempts execute other privileged commands, such as a /usr/sbin/shutdown, will fail.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms