Information Technology Reference
In-Depth Information
administrative tasks, such as printer management. Even though roles are a
type of user account, they can be accessed only using the
su(1)
command.
That is, a role cannot be used as a regular user account accessed directly
using the normal login procedures, such as
login(1)
or
telnet(1)
. The
superuser privileges are granted to roles (and regular user accounts) by
assigning “profiles” and/or “authorizations” to them. When a user account
assumes a role, any commands executed by the user are handled by a
profile
shell,
which enables privileged access.
Profiles
are sets of authorizations and “privileged operations.” A profile can
be thought of as a grouping mechanism used to simplify assigning sets of
related superuser privileges. For example, the “Device Management” profile
includes all the necessary authorizations to manage system devices.
Authorizations are rights to perform restricted functions such as shutting down
the system. An authorization may not correspond to a single Solaris command.
For example, there are several commands that can be used to shut down the
system. If a user account has been assigned the authorization
solaris.
system.shutdown
, the user account can use any of the appropriate commands
to perform the shut down. The set of authorizations associated with the Solaris
system have been defined by Sun Microsystems and cannot be modified.
On the other hand, privileged operations are Solaris commands that are exe-
cuted with the UID and/or GID set to the appropriate values to allow proper
operation.
In summary, authorizations and privileged operations can be assigned to reg-
ular user accounts and roles. They allow controlled delegation of superuser
privileges. Profiles can be used to assign sets of authorizations and privileged
operations.
The RBAC Database
The RBAC database consists of four attribute databases or files and a con-
figuration file. Collectively these files define the attributes of the RBAC
(roles, profiles, authorizations, and privileged operations). It also provides a
mechanism to associate profiles, authorizations, and privileged operations to
regular user accounts and roles.
The four RBAC database files are:
User Attributes Database (
user_attr
)—Defines roles and assigns author-
izations and profiles to roles and regular user accounts. Also referred to
as the Extended User Attributes Database.
➤
