Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎


     roleadd - administer a new role account on the system

     roleadd [-c comment] [-d dir] [-e expire]  [-f inactive]  [-
     g group]  [  -G group  [  , group...]] [ -m [-k skel_dir]] [
     -u uid  [-o]]  [-s shell]  [-A  authorization   [,authoriza-
     tion...]] [-K key=value] role

     roleadd  -D  [-b base_dir]  [-e expire]   [-f inactive]   [-
     g group] [-A authorization  [,authorization...]] [-P profile
     [,profile...] [-K key=value]]

     roleadd adds a role entry to the /etc/passwd and /etc/shadow
     and /etc/user_attr files. The -A and -P options respectively
     assign authorizations and profiles to the role. Roles cannot
     be  assigned  to other roles. The -K option adds a key=value
     pair to /etc/user_attr for a role. Multiple key=value  pairs
     can be added with multiple -K options.

     roleadd also creates supplementary group memberships for the
     role  (-G option) and creates the home directory (-m option)
     for the role if requested.  The  new  role  account  remains
     locked until the passwd(1) command is executed.

     Specifying roleadd -D with the -g, -b, -f, -e, or -K  option
     (or any combination of these option) sets the default values
     for the respective fields. See the  -D  option.   Subsequent
     roleadd commands without the -D option use these arguments.

     The system file entries created with  this  command  have  a
     limit  of 512 characters per line. Specifying long arguments
     to several options can exceed this limit.

     The role (role) field accepts a string of no more than eight
     bytes  consisting  of  characters from the set of alphabetic
     characters, numeric characters, period (.), underscore  (_),
     and hyphen (-). The first character should be alphabetic and
     the field should contain at least one lower case  alphabetic
     character.  A  warning  message is written if these restric-
     tions are not met. A future Solaris release might refuse  to
     accept role fields that do not meet these requirements.

     The role field must contain at least one character and  must
     not contain a colon (:) or a newline (\n).

     The following options are supported:

     -A authorization

         One or more comma separated  authorizations  defined  in
         auth_attr(4).   Only a user or role who has grant rights
         to the authorization can assign it to an account

     -b base_dir

         The default base directory for the system if -d  dir  is
         not specified. base_dir is concatenated with the account
         name to define the home directory. If the -m  option  is
         not used, base_dir must exist.

     -c comment

         Any text string. It is generally a short description  of
         the  role.  This  information  is  stored  in the role's
         /etc/passwd entry.

     -d dir

         The home directory of  the  new  role.  It  defaults  to
         base_dir/account_name, where base_dir is the base direc-
         tory for new login home directories and account_name  is
         the new role name.


         Display  the  default  values   for   group,   base_dir,
         skel_dir, shell, inactive, expire
          and key=value pairs. When used with the -g, -b, -f,  or
         -K,  options,  the -D option sets the default values for
         the specified fields. The default values are:

         group           other (GID of 1)

         base_dir        /home

         skel_dir        /etc/skel

         shell           /bin/pfsh

         inactive        0

         expire          Null

         auths           Null

         profiles        Null

         key=value (pairsnotfpresent user_attr(4)

     -e expire

         Specify the expiration date for a role. After this date,
         no  user  is able to access this role. The expire option
         argument is a date entered using one of the date formats
         included   in   the   template  file  /etc/datemsk.  See

         If the date format that you choose includes  spaces,  it
         must  be  quoted.  For example, you can enter 10/6/90 or
         October 6, 1990. A null value (" ") defeats  the  status
         of  the expired date. This option is useful for creating
         temporary roles.

     -f inactive

         The maximum number of days allowed  between  uses  of  a
         role  ID  before  that  ID  is  declared invalid. Normal
         values are positive integers. A value of  0 defeats  the

     -g group

         An existing group's integer ID or character-string name.
         Without the -D option, it defines the new role's primary
         group membership and defaults to the default group.  You
         can  reset  this default value by invoking roleadd -D -g

     -G group

         An existing group's integer ID or character-string name.
         It  defines  the  new role's supplementary group member-
         ship. Duplicates  between  group  with  the  -g  and  -G
         options are ignored. No more than NGROUPS_MAX groups can
         be specified.

     -k skel_dir

         A directory that contains skeleton information (such  as
         .profile)  that  can  be  copied  into a new role's home
         directory. This directory must already exist. The system
         provides  the  /etc/skel  directory that can be used for
         this purpose.

     -K key=value

         A key=value pair to add to the role's attributes. Multi-
         ple  -K  options  can  be used to add multiple key=value
         pairs. The generic -K option with  the  appropriate  key
         can  be used instead of the specific implied key options
         (-A and -P).  See  user_attr(4)  for  a  list  of  valid
         key=value  pairs.  The "type" key is not a valid key for
         this option. Keys can not be repeated.


         Create the new role's home  directory  if  it  does  not
         already  exist. If the directory already exists, it must
         have read, write,  and  execute  permissions  by  group,
         where group is the role's primary group.


         This option allows a UID to be duplicated (non-unique).

     -P profile

         One or more comma-separated execution  profiles  defined
         in prof_attr(4).

     -s shell

         Full pathname of the program used as the user's shell on
         login.  It defaults to an empty field causing the system
         to use /bin/pfsh as the default. The value of shell must
         be a valid executable file.

     -u uid

         The UID of the new role. This UID must be a non-negative
         decimal    integer    below   MAXUID   as   defined   in
         <sys/param.h>.  The UID defaults to the  next  available
         (unique)  number  above  the  highest  number  currently
         assigned. For example, if UIDs 100,  105,  and  200  are
         assigned, the next default UID number is 201. (UIDs from
         0-99 are reserved for possible use  in  future  applica-








     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsu                     |
    | Interface Stability         | Evolving                    |

     passwd(1),  pfsh(1),   profiles(1),   roles(1),   users(1B),
     groupadd(1M),    groupdel(1M),    groupmod(1M),   grpck(1M),
     logins(1M), pwck(1M), userdel(1M), usermod(1M), getdate(3C),
     auth_attr(4),  passwd(4), prof_attr(4), user_attr(4), attri-

     In case of an error, roleadd prints  an  error  message  and
     exits with a non-zero status.

     The following indicates that login specified is  already  in

     UX: roleadd: ERROR: login is already in use. Choose another.

     The following indicates that the uid specified with  the  -u
     option is not unique:

     UX: roleadd: ERROR: uid uid is already in use. Choose another.

     The following indicates that the group specified with the -g
     option is already in use:

     UX: roleadd: ERROR: group group does not exist. Choose another.

     The following indicates that the uid specified with  the  -u
     option is in the range of reserved UIDs (from 0-99):

     UX: roleadd: WARNING: uid uid is reserved.

     The following indicates that the uid specified with  the  -u
     option exceeds MAXUID as defined in <sys/param.h>:

     UX: roleadd: ERROR: uid uid is too big. Choose another.

     The following indicates that the /etc/passwd or  /etc/shadow
     files do not exist:

     UX: roleadd: ERROR: Cannot update system files - login cannot be created.


     If a network nameservice such as NIS or NIS+ is  being  used
     to  supplement  the  local  /etc/passwd file with additional
     entries, roleadd cannot change information supplied  by  the
     network nameservice.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.