RBAC Commands

This section lists commands that are used to administer RBAC. Also provided is a table of commands whose access can be controlled by authorizations.

Commands That Manage RBAC

While you can edit the local RBAC databases manually, such editing is strongly discouraged. The following commands are available for managing access to tasks with RBAC.

Table 10-7 RBAC Administration Commands

Man Page for Command	Description
`auths`(1)	Displays authorizations for a user.
`makedbm`(1M)	Makes a `dbm` file.
`nscd`(1M)	Name service cache daemon, useful for caching the `user_attr`, `prof_attr`, and `exec_attr` databases. Use the `svcadm` command to restart the daemon.
`pam_roles`(5)	Role account management module for PAM. Checks for the authorization to assume role.
`pfexec`(1)	Used by profile shells to execute commands with security attributes that are specified in the `exec_attr` database.
`policy.conf`(4)	Configuration file for system security policy. Lists granted authorizations, granted privileges, and other security information.
`profiles`(1)	Displays rights profiles for a specified user.
`roles`(1)	Displays roles that a specified user can assume.
`roleadd`(1M)	Adds a role to a local system.
`roledel`(1M)	Deletes a role from a local system.
`rolemod`(1M)	Modifies a role's properties on a local system.
`smattrpop`(1M)	Merges the source security attribute database into the target database. For use in situations where local databases need to be merged into a name service. Also for use in upgrades where conversion scripts are not supplied.
`smexec`(1M)	Manages entries in the `exec_attr` database. Requires authentication.
`smmultiuser`(1M)	Manages bulk operations on user accounts. Requires authentication.
`smprofile`(1M)	Manages rights profiles in the `prof_attr` and `exec_attr` databases. Requires authentication.
`smrole`(1M)	Manages roles and users in role accounts. Requires authentication.
`smuser`(1M)	Manages user entries. Requires authentication.
`useradd`(1M)	Adds a user account to the system. The `-P` option assigns a role to a user's account.
`userdel`(1M)	Deletes a user's login from the system.
`usermod`(1M)	Modifies a user's account properties on the system.

Commands That Require Authorizations

The following table provides examples of how authorizations are used to limit command options on a Solaris system. For more discussion of authorizations, see Authorization Naming and Delegation.

Table 10-8 Commands and Associated Authorizations

Man Page for Command	Authorization Requirements
`at`(1)	`solaris.jobs.user` required for all options (when neither `at.allow` nor `at.deny` files exist)
`atq`(1)	`solaris.jobs.admin` required for all options
`cdrw`(1)	`solaris.device.cdrw` required for all options, and is granted by default in the `policy.conf` file
`crontab`(1)	`solaris.jobs.user` required for the option to submit a job (when neither `crontab.allow` nor `crontab.deny` files exist) `solaris.jobs.admin` required for the options to list or modify other users' `crontab` files
`allocate`(1)	`solaris.device.allocate` (or other authorization as specified in `device_allocate` file) required to allocate a device `solaris.device.revoke` (or other authorization as specified in `device_allocate` file) required to allocate a device to another user (`-F` option)
`deallocate`(1)	`solaris.device.allocate` (or other authorization as specified in `device_allocate` file) required to deallocate another user's device `solaris.device.revoke` (or other authorization as specified in `device_allocate`) required to force deallocation of the specified device (`-F` option) or all devices (`-I` option)
`list_devices`(1)	`solaris.device.revoke` required to list another user's devices (`-U` option)
`sendmail`(1M)	`solaris.mail` required to access mail subsystem functions; `solaris.mail.mailq` required to view mail queue