How To Create Custom Roles Using RBAC (Doc ID 1010196.1)

Last updated on DECEMBER 18, 2023

Applies to:

Goal

This article details how to customize RBAC.

Role Based Access Control (RBAC) allows root to delegate specific superuser privileges without sharing all root's powers.  By default, RBAC is ready-to-go in Solaris 8 (and greater) Operating System. Using it is simply a matter of creating a special user account and mapping commands (or command sets) to it. root authorizes trusted users to assume the role's identity (via /usr/bin/su) and execute any/all superuser commands mapped to it.

For instance, arbitrary role account "test" could be mapped to pre-defined profiles in /etc/security/exec_attr, such as the command /usr/sbin/ifconfig. To allow trusted non-root user <FirstName LastName>  (<username>) to run ifconfig, root would grant <username> 'su' (/usr/bin/su) rights to role "test".

Once done, user <username>  could 'su' into role "test" and execute the profile /usr/sbin/ifconfig, which is normally restricted to 'root'. Since "test" maps only to 'ifconfig', attempts execute other privileged commands, such as a /usr/sbin/shutdown, will fail.

For Solaris 11.x RBAC (Assigning Rights to Users and Roles) see https://docs.oracle.com/cd/E37838_01/html/E61023/rbactask-assignrights-1.html. 

Solution