A role is a type of shared account that can only be accessed through a secondary login mechanism such as su(1M) and that is only available to specific users.
An authorization is a right granted to a user or role to perform a function that is not generally allowed. Authorization checks replace superuser checks in trusted applications and are not dependent on kernel policy modules.
A profile contains the list of commands and authorizations required to perform a particular function. For each command, the profile specifies the effective user id, the effective group id, and for Trusted Solaris, the process privileges, to be used when executing the command. Authorizations and commands from multiple profiles are additive. Assigning a profile to a role allows users who can assume that role to perform specific privileged operations without giving users access to all superuser powers. For example, a user might be able to administer the printer subsystem, but not to add users or change the password of other users.
Commitment for this project is being requested for the "C" API, the data structures and database formats, and conventions for using authorizations, roles, and profiles.
| audit_user(4) | per-user auditing database |
| auth_attr(4) | authorization description database |
| auths(1) | print authorizations for user |
| exec_attr(4) | execution profiles database |
| getauthattr(3) | get authorization attributes |
| getauusernam(3) | get audit user entry |
| getexecattr(3) | get execution attributes |
| getprofattr(3) | get profile attributes |
| getuserattr(3) | get user attributes |
| kva_match(3) | key-value matching function |
| libsecdb(3lib) | security attributes database library |
| makedbm(1M) | make a dbm file |
| nscd(1M) | name service cache daemon |
| pam_role_auth(5) | role authenticaton PAM module |
| pfexec(1) | profile shells |
| policy.conf(4) | configuration file for security policy |
| prof_attr(4) | profile attributes database |
| profiles(1) | print profiles for user |
| roles(1) | print role membership for user |
| user_attr(4) | user attributes database |
| useradd(1M) | administer a user or role account on the system |
| userdel(1M) | delete a user's or role's login from the system |
| usermod(1M) | modify a user's or role's account information on the system |
| AdminAuths.properties | Seabreeze Authorization Property File |
| auth_attr | authorization description database |
| exec_attr | profile execution attributes database |
| nscd.conf | nameservice cache daemon config |
| nsswitch.files | nameservice switch for files |
| nsswitch.nis | nameservice switch for nis |
| nsswitch.nisplus | nameservice switch for nisplus |
| pam.conf | PAM configuration file |
| prof_attr | profile description database |
| policy.conf | configuration file for security policy |
| user_attr | user attribute database |