smrole(1M) System Administration Commands smrole(1M)NAMEsmrole - manage roles and users in role accounts
SYNOPSIS
/usr/sadm/bin/smrole subcommand [ auth_args] -− [subcommand_args]
DESCRIPTION
The smrole command manages roles and adds or deletes users in role
accounts.
subcommands
smrole subcommands are:
add Adds a new role entry. To add an entry, the administra‐
tor must have the solaris.role.write authorization.
delete Deletes one or more roles. To delete an entry, the
administrator must have the solaris.role.write autho‐
rization.
list Lists one or more roles. If you do not specify a role
name, all roles are listed. To list an entry, the
administrator must have the solaris.admin.usermgr.read
authorization.
modify Adds or deletes users from a role account. To modify an
entry, the administrator must have the
solaris.role.write authorization.
OPTIONS
The smrole authentication arguments, auth_args, are derived from the
smc(1M) arg set and are the same regardless of which subcommand you
use. The smrole command requires the Solaris Management Console to be
initialized for the command to succeed (see smc(1M)). After rebooting
the Solaris Management Console server, the first Solaris Management
Console connection might time out, so you might need to retry the com‐
mand.
The subcommand-specific options, subcommand_args, must come after the
auth_args and must be separated from them by the -− option.
auth_args
The auth_args are -D, -H, -l, -p, -r, and -u are described below. They
are all optional. These options are a subset of the full complement of
supported options described in smc(1M).
If no auth_args are specified, certain defaults will be assumed and the
user may be prompted for additional information, such as a password for
authentication purposes. These letter options can also be specified by
their equivalent option words preceded by a double dash. For example,
you can use either -D or -−domain with the domain argument.
-D | -−domain domain
Specifies the default domain that you want to manage. The syntax of
domain is type:/host_name/domain_name, where type is nis, nisplus,
dns, ldap, or file; host_name is the name of the machine that
serves the domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console
assumes the file default domain on whatever server you choose to
manage, meaning that changes are local to the server. Toolboxes can
change the domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | -−hostname host_name:port
Specifies the host_name and port to which you want to connect. If
you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management
Console connects to the local host on port 898. You may still have
to choose a toolbox to load into the console. To override this
behavior, use the smc(1M)-B option, or set your console prefer‐
ences to load a "home toolbox" by default.
-l | -−rolepassword role_password
Specifies the password for the role_name. If you specify a
role_name but do not specify a role_password, the system prompts
you to supply a role_password. Passwords specified on the command
line can be seen by any user on the system, hence this option is
considered insecure.
-p | -−password password
Specifies the password for the user_name. If you do not specify a
password, the system prompts you for one. Passwords specified on
the command line can be seen by any user on the system, hence this
option is considered insecure.
-r | -−rolename role_name
Specifies a role name for authentication. If you do not specify
this option, no role is assumed.
-u | -−username user_name
Specifies the user name for authentication. If you do not specify
this option, the user identity running the console process is
assumed.
-−
This option is required and must always follow the preceding
options. If you do not enter the preceding options, you must still
enter the -− option.
subcommand_args
Note: Descriptions and other arg options that contain white spaces must
be enclosed in double quotes.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privileges(5).
· For subcommand add:
-a adduser1 -a adduser2 . . .
(Optional) Specifies the user name(s) to add to the new role.
The administrator must have the solaris.role.assign authoriza‐
tion.
-c comment
(Optional) Includes a short description of the role. Consists
of a string of up to 256 printable characters, excluding the
colon (:).
-d dir
(Optional) Specifies the home directory of the new role, lim‐
ited to 1024 characters.
-F full_name
(Optional) Specifies the full, descriptive name of the role.
The full_name must be unique within a domain, and can contain
alphanumeric characters and spaces. If you use spaces, you
must enclose the full_name in double quotes.
-G group1 -G group2 . . .
(Optional) Specifies the new role's supplementary group mem‐
bership in the system group database with the character string
names of one or more existing groups. Note: You cannot assign
a primary group to a role. A role's primary group is always
sysadmin (group 14).
-h
(Optional) Displays the command's usage statement.
-n rolename
Specifies the name of the role you want to create.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to the role. To
assign a profile to a role, the administrator must have the
solaris.profmgr.assign or solaris.profmgr.delegate authoriza‐
tion.
-P password
(Optional) Specifies the role's password. The password can
contain up to eight characters. If you do not specify a pass‐
word, the system prompts you for one. To set the password, the
administrator must have the solaris.admin.usermgr.pswd autho‐
rization. Note: When you specify a password using the -P
option, you type the password in plain text. Specifying a
password using this method introduces a security gap while the
command is running. However, if you do not specify a password
(and the system prompts you for one), the echo is turned off
when you type in the password.
-s shell
(Optional) Specifies the full pathname of the program used as
the role's shell on login. Valid entries are /bin/pfcsh (C
shell), /bin/pfksh (Korn shell), and /bin/pfsh (Bourne shell),
the default.
-u uid
(Optional) Specifies the ID of the role you want to add. If
you do not specify this option, the system assigns the next
available unique ID greater than 100.
-x autohome=Y|N
(Optional) Sets the role's home directory. The home directory
path in the password entry is set to /home/login name.
-x perm=home_perm
(Optional) Sets the permissions on the role's home directory.
perm is interpreted as an octal number, and the default is
0775.
-x serv=homedir_server
(Optional) If -D is nis, nisplus, or ldap, use this option to
specify the name of the server where the user's home directory
resides. Users created in a local scope must have their home
directory server created on their local machines.
-M limit_privs
Specifies the privilege name(s) to add to the new user_attr(4)
entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privi‐
leges(5).
-D default_privs
Specifies the default privilege name(s) to add to the new
user_attr(4) entry.
The options to the add subcommand listed below are available only
if a system is configured with Solaris Trusted Extensions. See
"Using Options that Require Solaris Trusted Extensions," below.
-x clear=clearanceval
(Optional) Specifies the role's clearance. clearanceval can be
a string value or a hex value. If this option is not speci‐
fied, the default, admin_high, is in effect. To set the clear‐
ance, the administrator must have the solaris.admin.user‐
mgr.labels authorization.
-x label=labelval
(Optional) Specifies the role's minimum label. labelval can be
a string label or a hex label. If this option is not speci‐
fied, the default, admin_low, is in effect. To set the minimum
label, the administrator must have the solaris.admin.user‐
mgr.labels authorization.
-x labelview=HIDE|SHOW
(Optional) Specifies the second part of the labelview key-
value pair. If SHOW is specified, labelview=*showsl will be
recorded. If HIDE is specified, labelview=*hidesl will be
recorded. The asterisk portion can be replaced by "internal,",
"external,", or ""(null). If this option is not specified, the
default, SHOW, is in effect.
-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type for the labelview in
user_attr. If INTERNAL is specified, labelview=internal will
be recorded; if EXTERNAL is specified, labelview=external will
be recorded; if DEFAULT is specified, nothing will be recorded
in user_attr. If this option is not specified, the default,
INTERNAL, is in effect.
· For subcommand delete:
-h
(Optional) Displays the command's usage statement.
-n rolename1 -n rolename2 . . .
Specifies the name of the role(s) you want to delete.
· For subcommand list:
-h
(Optional) Displays the command's usage statement.
-l
(Optional) Displays the output for each user in a block of
key:value pairs (for example, user name:root), followed by a
blank line that delimits each user block. Each key:value pair
is displayed on a separate line. The keys are: autohome setup,
comment, home directory, login shell, primary group, secondary
groups, server, user ID (UID), and user name.
-n role1 -n role2 . . .
(Optional) Specifies the role(s) that you want to list. If you
do not specify a role name, all roles are listed.
· For subcommand modify:
-a adduser1 -a adduser2 . . .
(Optional) Specifies the user name(s) to add to the new role.
The administrator must have the solaris.role.assign authoriza‐
tion, or must have the solaris.role.delegate authorization and
be a member of the role being modified.
-c comment
(Optional) Includes a short description of the role. Consists
of a string of up to 256 printable characters, excluding the
colon (:).
-d dir
(Optional) Specifies the home directory of the new role, lim‐
ited to 1024 characters.
-F full_name
(Optional) Specifies the full, descriptive name of the role.
The full_name must be unique within a domain, and can contain
alphanumeric characters and spaces. If you use spaces, you
must enclose the full_name in double quotes.
-G group1 -G group2 . . .
(Optional) Specifies the new role's secondary group membership
in the system group database with the character string names
of one or more existing groups. Note: You cannot assign a pri‐
mary group to a role. A role's primary group is always sysad‐
min (group 14).
-h
(Optional) Displays the command's usage statement.
-n rolename
Specifies the name of the role you want to modify.
-N new_rolename
(Optional) Specifies the new name of the role.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to the role. To
assign a profile to a role, the administrator must have the
solaris.profmgr.assign or solaris.profmgr.delegate authoriza‐
tion.
-P password
(Optional) Specifies the role's password. The password can
contain up to eight characters. To set the password, the
administrator must have the solaris.admin.usermgr.pswd autho‐
rization. Note: When you specify a password, you type the
password in plain text. Specifying a password using this
method introduces a security gap while the command is running.
-q delprof1 -q delprof2 . . .
(Optional) Specifies the profile(s) to delete from the role.
-r deluser1 -r deluser2 . . .
(Optional) Specifies the user name(s) to delete from the role.
-s shell
(Optional) Specifies the full pathname of the program used as
the role's shell on login. Valid entries are /bin/pfcsh (C
shell), /bin/pfksh (Korn shell), and /bin/pfsh (Bourne shell),
the default.
-x autohome=Y|N
(Optional) Sets the role's home directory. The home directory
path in the password entry is set to /home/login_name.
-x perm=home_perm
(Optional) Sets the permissions on the role's home directory.
perm is interpreted as an octal number, and the default is
0775.
-M limit_privs
Specifies the privilege name(s) to modify in a user_attr(4)
entry.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privi‐
leges(5).
-D default_privs
Specifies the default privilege name(s) to modify in a
user_attr(4) entry.
The options to the modify subcommand listed below are available
only if a system is configured with Solaris Trusted Extensions.
See "Using Options that Require Solaris Trusted Extensions,"
below.
-x clear=clearanceval
(Optional) Specifies the role's clearance. clearanceval can be
a string value or a hex value. If this option is not speci‐
fied, the default, admin_high, is in effect. To set the clear‐
ance, the administrator must have the solaris.admin.user‐
mgr.labels authorization.
-x label=labelval
(Optional) Specifies the role's minimum label. labelval can be
a string label or a hex label. If this option is not speci‐
fied, the default, admin_low, is in effect. To set the minimum
label, the administrator must have the solaris.admin.user‐
mgr.labels authorization.
-x labelview=HIDE|SHOW
(Optional) Specifies the second part of the labelview key-
value pair. If SHOW is specified, labelview=*showsl will be
recorded. If HIDE is specified, labelview=*hidesl will be
recorded. The asterisk portion can be replaced by "internal,",
"external,", or ""(null). If this option is not specified, the
default, SHOW, is in effect.
-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type for the labelview in
user_attr. If INTERNAL is specified, labelview=internal will
be recorded; if EXTERNAL is specified, labelview=external will
be recorded; if DEFAULT is specified, nothing will be recorded
in user_attr. If this option is not specified, the default,
INTERNAL, is in effect.
Using Options that Require Solaris Trusted Extensions
To use an option that requires the Solaris Trusted Extensions feature,
you must use the -B toolbox option to specify a toolbox that contains
support for Trusted Extensions. For example:
# smrole add -H myhost -p mypasswd -u root -- -n role1 \
-F "Engineering Admin" -P abc123 -x clear=clearanceval \
-B http://<server>/toolboxes/tsol_files.tbx
In the command above, <server> is the name of the machine running the
Solaris Management Console. See smc(1M) for a description of the -B
option.
EXAMPLES
Example 1: Creating a Role Account
The following creates the role1 account with a full name of Engineering
Admin and a password of abc123 on the local file system, and assigns
user1 and user2 to the role. This role has Name Service Security and
Audit Review rights. The system assigns the next available unique UID
greater than 100.
./smrole add -H myhost -p mypasswd -u root -- -n role1 \
-F "Engineering Admin" -P abc123 -a user1 -a user2 \
-p "Name Service Security" -p "Audit Review"
Example 2: Deleting Role Accounts
The following deletes the role1 and role2 accounts from the local file
system.
./smrole delete -H myhost -p mypasswd -u root -- -n role1 -n role2
Example 3: Listing Role Accounts
The following lists all role accounts on the local file system in sum‐
mary form.
./smrole list -H myhost -p mypasswd -u root --
Example 4: Modifying a Role Account
The following modifies the role1 account so the role defaults to the
Korn shell, includes the user3 account, and does not include the user2
account.
./smrole modify -H myhost -p mypasswd -u root -- -n role1 \
-s /bin/pfksh -a user3 -r user2
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environment variable,
which affects the execution of the smrole command. If this environment
variable is not specified, the /usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error mes‐
sage displays.
FILES
The following files are used by the smrole command:
/etc/aliases Mail aliases. See aliases(4).
/etc/auto_home Automatic mount points. See auto‐
mount(1M).
/etc/group Group file. See group(4).
/etc/passwd Password file. See passwd(4).
/etc/security/policy.conf Configuration file for security policy.
See policy.conf(4).
/etc/shadow Shadow password file. See shadow(4).
/etc/user_attr Extended user attribute database. See
user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWmga │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOautomount(1M), smc(1M), aliases(4), group(4), passwd(4), pol‐
icy.conf(4), shadow(4), user_attr(4), attributes(5), environ(5)SunOS 5.10 17 Mar 2006 smrole(1M)
