smprofile(1M) System Administration Commands smprofile(1M)NAMEsmprofile - manage profiles in the prof_attr and exec_attr databases
SYNOPSIS
/usr/sadm/bin/smprofile subcommand [ auth_args] -− [subcommand_args]
DESCRIPTION
The smprofile command manages one or more profiles in the prof_attr(4)
or exec_attr(4) databases in the local /etc files name service or a NIS
or NIS+ name service.
subcommands
smprofile subcommands are:
add Adds a new profile (right) to the prof_attr(4) data‐
base. To add a profile, the administrator must have the
solaris.profmgr.write authorization.
delete Deletes a profile from the prof_attr(4) database,
deletes all associated entries from the exec_attr(4)
database, and deletes the assigned profile from the
user_attr(4) database. To delete a profile, the admin‐
istrator must have the solaris.profmgr.execattr.write
and solaris.profmgr.write authorization.
list Lists one or more profiles from the prof_attr(4) or
exec_attr(4) databases. To list a profile, the admin‐
istrator must have the solaris.profmgr.read authoriza‐
tion.
modify Modifies a profile in the prof_attr(4) database. To
modify a profile, the administrator must have the
solaris.profmgr.write authorization.
OPTIONS
The smprofile authentication arguments, auth_args, are derived from the
smc(1M) arg set and are the same regardless of which subcommand you
use. The smprofile command requires the Solaris Management Console to
be initialized for the command to succeed (see smc(1M)). After reboot‐
ing the Solaris Management Console server, the first Solaris Management
Console connection might time out, so you might need to retry the com‐
mand.
The subcommand-specific options, subcommand_args, must come after the
auth_args and must be separated from them by the -− option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all
optional. If no auth_args are specified, certain defaults will be
assumed and the user may be prompted for additional information, such
as a password for authentication purposes. These letter options can
also be specified by their equivalent option words preceded by a double
dash. For example, you can use either -D or -−domain with the domain
argument.
-D | -−domain domain
Specifies the default domain that you want to manage. The syntax of
domain is type:/host_name/domain_name, where type is nis, nisplus,
dns, ldap, or file; host_name is the name of the machine that
serves the domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console
assumes the file default domain on whatever server you choose to
manage, meaning that changes are local to the server. Toolboxes can
change the domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | -−hostname host_name:port
Specifies the host_name and port to which you want to connect. If
you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management
Console connects to the local host on port 898. You may still have
to choose a toolbox to load into the console. To override this
behavior, use the smc(1M)-B option, or set your console prefer‐
ences to load a "home toolbox" by default.
-l | -−rolepassword role_password
Specifies the password for the role_name. If you specify a
role_name but do not specify a role_password, the system prompts
you to supply a role_password. Passwords specified on the command
line can be seen by any user on the system, hence this option is
considered insecure.
-p | -−password password
Specifies the password for the user_name. If you do not specify a
password, the system prompts you for one. Passwords specified on
the command line can be seen by any user on the system, hence this
option is considered insecure.
-r | -−rolename role_name
Specifies a role name for authentication. If you do not specify
this option, no role is assumed.
-u | -−username user_name
Specifies the user name for authentication. If you do not specify
this option, the user identity running the console process is
assumed.
-−
This option is required and must always follow the preceding
options. If you do not enter the preceding options, you must still
enter the -− option.
subcommand_args
Note: Descriptions and other arg options that contain white spaces must
be enclosed in double quotes.
To add privileges to or modify privileges in a profile entry, the
administrator must have the solaris.admin.privilege.write authoriza‐
tion. See privileges(5).
· For subcommand add:
-a addauth1 -a addauth2 . . .
(Optional) Specifies the authorization name(s) to add to the
new profile. The administrator must have the
solaris.profmgr.write authorization and must have the corre‐
sponding "grant" authorization. A "grant" authorization is one
in which the lowest component of the authorization name is
replaced by the word grant. For example, to grant some profile
the solaris.role.write authorization, the administrator needs
that authorization and also the solaris.role.grant authoriza‐
tion. For more information on granting authorizations, see
auth_attr(4).
-d description
Specifies the description of the new profile.
-h
(Optional) Displays the command's usage statement.
-m html_help
Specifies the HTML help file name for the new profile. The
help file name must be put in the /usr/lib/help/pro‐
files/locale/C directory.
-n name
Specifies the name of the new profile.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the supplementary profile name(s) to add
to the new profile.
-I inherited_privs
Specifies the inherited privilege name(s) to add to the new
prof_attr(4) entry.
To add privileges to or modify privileges in a profile entry,
the administrator must have the solaris.admin.privilege.write
authorization. See privileges(5).
· For subcommand delete:
-h
(Optional) Displays the command's usage statement.
-n name
Specifies the name of the profile you want to delete.
· For subcommand list:
-h
(Optional) Displays the command's usage statement.
-l
(Optional) Displays the detailed output for each profile in a
block of key:value pairs, followed by a blank line that delim‐
its each profile block. Each key:value pair is displayed on a
separate line. All the attributes associated with a profile
from the prof_attr and exec_attr databases are displayed. If
you do not specify this option, only the specified profile
name(s) and associated profile description(s) are displayed.
-n name1 -n name2 . . .
(Optional) Specifies the profile(s) that you want to display.
If you do not specify a profile name, all profiles are dis‐
played.
· For subcommand modify:
-a addauth1 -a addauth2 . . .
(Optional) Specifies the authorization name(s) to add to the
profile. The administrator must currently have been granted
each of the specified authorizations and must have the ability
to grant each of those authorizations to other users or roles.
For more information on granting authorizations, see
auth_attr(4).
-d description
(Optional) Specifies the new description of the profile.
-h
(Optional) Displays the command's usage statement.
-m html_help
(Optional) Specifies the new HTML help file name of the pro‐
file. If you change this name, you must accordingly rename the
help file name entered in the /usr/lib/help/profiles/locale/C
directory.
-n name
Specifies the name of the profile you want to modify.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the supplementary profile name(s) to add
to the profile. The administrator must have the
solaris.profmgr.assign authorization to add any profile and
the solaris.profmgr.delegate authorization to add any profile
that has been assigned to the authenticated user.
-q delprof1 -q delprof2 . . .
(Optional) Specifies the supplementary profile name(s) to
delete from the profile. The administrator must have the
solaris.profmgr.assign authorization to delete any profile and
the solaris.profmgr.delegate authorization to delete any pro‐
file that has been assigned to the authenticated user.
-r delauth1 -r delauth2 . . .
(Optional) Specifies the authorization name(s) to delete from
the profile. The administrator must have the
solaris.profmgr.write authorization and must have the corre‐
sponding "grant" authorization. For more information about
"grant" authorizations, see the -a option description for the
add subcommand above.
-I inherited_privs
Specifies the inherited privilege name(s) to modify in the
prof_attr(4) entry.
To add privileges to or modify privileges in a profile entry,
the administrator must have the solaris.admin.privilege.write
authorization. See privileges(5).
EXAMPLES
Example 1: Creating a new profile
The following creates a new User Manager profile on the local file sys‐
tem. The new profile description is Manage users and groups, and the
authorizations assigned are solaris.admin.usermgr.write and
solaris.admin.usermgr.read. The supplementary profile assigned is
Operator. The help file name is RtUserMgmt.html.
./smprofile add -H myhost -p mypasswd -u root -- -n "User Manager" \
-d "Manage users and groups" -a solaris.admin.usermgr.write \
-a solaris.admin.usermgr.read -p Operator -m RtUserMgmt.html
Example 2: Deleting a profile
The following deletes the User Manager profile from the local file sys‐
tem:
./smprofile delete -H myhost -p mypasswd -u root -- -n "User Manager"
Example 3: Listing all profiles
The following lists all profiles and their associated profile descrip‐
tions on the local file system.
./smprofile list -H myhost -p mypasswd -u root --
Example 4: Modifying a profile
The following modifies the User Manager profile on the local file sys‐
tem. The new profile description is Manage world, the new authorization
assignment is solaris.admin.usermgr.* authorizations, and the new sup‐
plementary profile assignment is All. (The -a option argument must be
enclosed in double quotes when the wildcard character (*) is used.)
./smprofile modify -H myhost -p mypasswd -u root -- -n "User Manager" \
-d "Manage world" -a "solaris.admin.usermgr.*" -p All
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environment variable,
which affects the execution of the smprofile command. If this environ‐
ment variable is not specified, the /usr/java location is used. See
smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error mes‐
sage displays.
FILES
The following files are used by the smprofile command:
/etc/security/exec_attr Rights profiles database. See
exec_attr(4).
/etc/security/prof_attr Profile description database. See
prof_attr(4).
/etc/user_attr Extended user attribute database. See
user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │ SUNWmga │
├─────────────────────────────┼─────────────────────────────┤
│cw(2.750000i)| cw(2.750000i) │ │
├─────────────────────────────┼─────────────────────────────┤
│lw(2.750000i)| lw(2.750000i) │ │
├─────────────────────────────┼─────────────────────────────┤
│lw(2.750000i) lw(2.750000i). │ │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │ Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOsmc(1M), auth_attr(4), exec_attr(4), prof_attr(4), user_attr(4),
attributes(5), environ(5)SunOS 5.10 24 May 2004 smprofile(1M)
