Solaris Role based Access Control (RBAC)

* root is an all-powerful unix account. RBAC provides an alternative to all-or-nothing superuser model. It uses the concept of roles, assigned to individuals. Three recommended roles are primary administrator, system administrator and operator.

* RBAC consists of privileged applications, role, authorization and rights profile. Users are assigned to roles, which get their capabilities from rights profiles and authorizations. Rights profiles are system overrides. Authorizations are generally assigned to right profiles but can be assigned directly to roles. They are discrete rights. Commands can be assigned to rights profiles. Roles have password assigned to them and are special type of user accounts. They have a home directory, groups, password etc. Roles information is stored in password, shadow, user_attr and audit_user databases. Normal users can assume role from 'su' command. RBAC provides commands that check for authorizations. Users can obtain privileges from a profile shell. Profile shell enables profile related privileged applications.

* Preferred way to manage RBAC is via Solaris Management Console.

* First role is created using root account. Subsequent roles can be created using the first role instead of 'root' account. Restart name service cache daemon for the new role to take affect. roleadd can be used to create a local role and its attributes. Roles can also be created by directly editing /etc/user_attr file. For roles in a name service (LDAP, NIS, NIS+), use smrole command. smrole runs as a client of Solaris management console server. rolemod command is used for modifying role attributes. smprofile command is for managing rights profile. smuser command is used for modifying authorizations, roles and rights profiles assigned to a user. auths command is used to print authorizations for any user.

* /etc/user_attr is extended user attributes database.