Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

smrole


NAME
     smrole - manage roles and users in role accounts

SYNOPSIS
     /usr/sadm/bin/smrole    subcommand    [    auth_args]     --
     [subcommand_args]

DESCRIPTION
     The smrole command manages roles and adds or  deletes  users
     in role accounts.

  subcommands
     smrole subcommands are:

     add             Adds a new role entry. To add an entry,  the
                     administrator       must       have      the
                     solaris.role.write authorization.



     delete          Deletes one or  more  roles.  To  delete  an
                     entry,   the  administrator  must  have  the
                     solaris.role.write authorization.



     list            Lists one or  more  roles.  If  you  do  not
                     specify  a  role name, all roles are listed.
                     To list an  entry,  the  administrator  must
                     have the solaris.admin.usermgr.read authori-
                     zation.



     modify          Adds or deletes users from a  role  account.
                     To  modify  an entry, the administrator must
                     have the solaris.role.write authorization.



OPTIONS
     The smrole authentication arguments, auth_args, are  derived
     from  the  smc(1M)  arg  set  and are the same regardless of
     which subcommand you use.  The smrole command  requires  the
     Solaris Management Console to be initialized for the command
     to  succeed  (see  smc(1M)).  After  rebooting  the  Solaris
     Management Console server, the first Solaris Management Con-
     sole connection might time out, so you might need  to  retry
     the command.

     The subcommand-specific options, subcommand_args, must  come
     after  the  auth_args and must be separated from them by the
     -- option.

  auth_args
     The auth_args are -D, -H, -l, -p, -r, and -u  are  described
     below.  They are all optional. These options are a subset of
     the  full  complement  of  supported  options  described  in
     smc(1M).

     If no auth_args are  specified,  certain  defaults  will  be
     assumed and the user may be prompted for additional informa-
     tion, such as a password for authentication purposes.  These
     letter  options  can  also  be specified by their equivalent
     option words preceded by a double dash.   For  example,  you
     can use either -D or --domain with the domain argument.

     -D | --domain  domain

         Specifies the default domain that you  want  to  manage.
         The  syntax  of  domain  is type:/host_name/domain_name,
         where  type  is  nis,  nisplus,  dns,  ldap,  or   file;
         host_name  is  the  name  of the machine that serves the
         domain; and domain_name is the name of  the  domain  you
         want to manage. (Note: Do not use nis+ for nisplus.)

         If you do not specify this option, the  Solaris  Manage-
         ment Console assumes the file default domain on whatever
         server you choose to manage, meaning  that  changes  are
         local  to the server. Toolboxes can change the domain on
         a tool-by-tool basis; this option specifies  the  domain
         for all other tools.



     -H | --hostname  host_name:port

         Specifies the host_name and port to which  you  want  to
         connect.  If  you do not specify a port, the system con-
         nects to the default port, 898. If you  do  not  specify
         host_name:port,  the Solaris Management Console connects
         to the local host on port 898. You  may  still  have  to
         choose  a toolbox to load into the console.  To override
         this behavior, use the smc(1M) -B option,  or  set  your
         console preferences to load a "home toolbox" by default.



     -l | --rolepassword  role_password

         Specifies the password for the role_name. If you specify
         a role_name but do not specify a role_password, the sys-
         tem prompts you to  supply  a  role_password.  Passwords
         specified on the command line can be seen by any user on
         the system, hence this option is considered insecure.



     -p | --password  password

         Specifies the password for the user_name. If you do  not
         specify  a  password,  the  system  prompts you for one.
         Passwords specified on the command line can be  seen  by
         any  user on the system, hence this option is considered
         insecure.



     -r | --rolename  role_name

         Specifies a role name for authentication. If you do  not
         specify this option, no role is assumed.



     -u | --username  user_name

         Specifies the user name for authentication.  If  you  do
         not  specify  this option, the user identity running the
         console process is assumed.



     --

         This option is  required  and  must  always  follow  the
         preceding  options.  If  you  do not enter the preceding
         options, you must still enter the -- option.



  subcommand_args
     Note: Descriptions and other arg options that contain  white
     spaces must be enclosed in double quotes.

     To add or change privileges, the administrator must have the
     solaris.admin.privilege.write       authorization.       See
     privileges(5).

       o  For subcommand add:

          -a adduser1 -a adduser2 . . .

              (Optional) Specifies the user name(s) to add to the
              new   role.   The   administrator   must  have  the
              solaris.role.assign authorization.

          -c comment

              (Optional) Includes  a  short  description  of  the
              role.  Consists  of a string of up to 256 printable
              characters, excluding the colon (:).



          -d dir

              (Optional) Specifies the home directory of the  new
              role, limited to 1024 characters.



          -F full_name

              (Optional) Specifies the full, descriptive name  of
              the  role.  The  full_name  must be unique within a
              domain, and can contain alphanumeric characters and
              spaces.  If  you  use  spaces, you must enclose the
              full_name in double quotes.



          -G group1 -G group2 . . .

              (Optional) Specifies the new  role's  supplementary
              group  membership in the system group database with
              the character string names of one or more  existing
              groups.  Note: You cannot assign a primary group to
              a role. A role's primary group is  always  sysadmin
              (group 14).



          -h

              (Optional) Displays the command's usage statement.



          -n rolename

              Specifies the name of the role you want to create.



          -p addprof1 -p addprof2 . . .

              (Optional) Specifies the profile(s) to add  to  the
              role.   To   assign   a  profile  to  a  role,  the
              administrator must have the  solaris.profmgr.assign
              or solaris.profmgr.delegate authorization.



          -P password

              (Optional) Specifies the role's password. The pass-
              word  can contain up to eight characters. If you do
              not specify a password, the system prompts you  for
              one.  To  set  the password, the administrator must
              have the solaris.admin.usermgr.pswd  authorization.
              Note:  When  you  specify  a  password using the -P
              option, you type the password in plain text. Speci-
              fying  a  password  using  this method introduces a
              security gap while the command is running. However,
              if  you  do  not specify a password (and the system
              prompts you for one), the echo is turned  off  when
              you type in the password.



          -s shell

              (Optional) Specifies the full pathname of the  pro-
              gram  used  as  the  role's  shell  on login. Valid
              entries are /bin/pfcsh (C shell), /bin/pfksh  (Korn
              shell), and /bin/pfsh (Bourne shell), the default.



          -u uid

              (Optional) Specifies the ID of the role you want to
              add.  If you do not specify this option, the system
              assigns the next available unique ID  greater  than
              100.



          -x autohome=Y|N

              (Optional) Sets the role's home directory. The home
              directory  path  in  the  password  entry is set to
              /home/login name.



          -x perm=home_perm

              (Optional) Sets the permissions on the role's  home
              directory.  perm is interpreted as an octal number,
              and the default is 0775.



          -x serv=homedir_server

              (Optional) If -D is nis, nisplus, or ldap, use this
              option  to specify the name of the server where the
              user's home directory resides. Users created  in  a
              local  scope  must have their home directory server
              created on their local machines.



          -M limit_privs

              Specifies the privilege name(s) to add to  the  new
              user_attr(4)  entry.  The  default is all for limit
              privilege.

              To add or change privileges, the administrator must
              have  the  solaris.admin.privilege.write authoriza-
              tion. See privileges(5).



          -D default_privs

              Specifies the default privilege name(s) to  add  to
              the new user_attr(4) entry.




          The options to the  add  subcommand  listed  below  are
          available  only  if a system is configured with Solaris
          Trusted Extensions. See  "Using  Options  that  Require
          Solaris Trusted Extensions," below.


          -x clear=clearanceval

              (Optional) Specifies the role's clearance. clearan-
              ceval can be a string value or a hex value. If this
              option is not specified, the  default,  admin_high,
              is in effect. To set the clearance, the administra-
              tor  must  have  the   solaris.admin.usermgr.labels
              authorization.




          -x label=labelval

              (Optional)  Specifies  the  role's  minimum  label.
              labelval  can  be a string label or a hex label. If
              this  option  is  not   specified,   the   default,
              admin_low,  is in effect. To set the minimum label,
              the      administrator      must      have      the
              solaris.admin.usermgr.labels authorization.



          -x labelview=HIDE|SHOW

              (Optional) Specifies the second part of the  label-
              view   key-value   pair.   If  SHOW  is  specified,
              labelview=*showsl will  be  recorded.  If  HIDE  is
              specified,  labelview=*hidesl will be recorded. The
              asterisk portion can be  replaced  by  "internal,",
              "external,",  or  ""(null).  If  this option is not
              specified, the default, SHOW, is in effect.



          -x view=INTERNAL|EXTERNAL|DEFAULT

              (Optional) Specifies the label view  type  for  the
              labelview  in  user_attr. If INTERNAL is specified,
              labelview=internal will be recorded; if EXTERNAL is
              specified,  labelview=external will be recorded; if
              DEFAULT is specified, nothing will be  recorded  in
              user_attr.  If  this  option  is not specified, the
              default, INTERNAL, is in effect.


       o  For subcommand delete:

          -h

              (Optional) Displays the command's usage statement.



          -n rolename1 -n rolename2 . . .

              Specifies the name  of  the  role(s)  you  want  to
              delete.




       o  For subcommand list:

          -h

              (Optional) Displays the command's usage statement.



          -l

              (Optional) Displays the output for each user  in  a
              block   of   key:value  pairs  (for  example,  user
              name:root), followed by a blank line that  delimits
              each  user  block. Each key:value pair is displayed
              on a separate line. The keys are:  autohome  setup,
              comment,   home  directory,  login  shell,  primary
              group, secondary groups, server, user ID (UID), and
              user name.



          -n role1 -n role2 . . .

              (Optional) Specifies the role(s) that you  want  to
              list.  If you do not specify a role name, all roles
              are listed.




       o  For subcommand modify:

          -a adduser1 -a adduser2 . . .

              (Optional) Specifies the user name(s) to add to the
              new   role.   The   administrator   must  have  the
              solaris.role.assign authorization, or must have the
              solaris.role.delegate authorization and be a member
              of the role being modified.



          -c comment

              (Optional) Includes  a  short  description  of  the
              role.  Consists  of a string of up to 256 printable
              characters, excluding the colon (:).



          -d dir

              (Optional) Specifies the home directory of the  new
              role, limited to 1024 characters.

          -F full_name

              (Optional) Specifies the full, descriptive name  of
              the  role.  The  full_name  must be unique within a
              domain, and can contain alphanumeric characters and
              spaces.  If  you  use  spaces, you must enclose the
              full_name in double quotes.



          -G group1 -G group2 . . .

              (Optional) Specifies the new role's secondary group
              membership  in  the  system group database with the
              character string names  of  one  or  more  existing
              groups.  Note: You cannot assign a primary group to
              a role. A role's primary group is  always  sysadmin
              (group 14).



          -h

              (Optional) Displays the command's usage statement.



          -n rolename

              Specifies the name of the role you want to modify.



          -N new_rolename

              (Optional) Specifies the new name of the role.



          -p addprof1 -p addprof2 . . .

              (Optional) Specifies the profile(s) to add  to  the
              role.  To  assign a profile to a role, the adminis-
              trator  must  have  the  solaris.profmgr.assign  or
              solaris.profmgr.delegate authorization.



          -P password

              (Optional) Specifies the role's password. The pass-
              word can contain up to eight characters. To set the
              password,   the   administrator   must   have   the
              solaris.admin.usermgr.pswd   authorization.   Note:
              When you specify a password, you type the  password
              in  plain  text.  Specifying  a password using this
              method introduces a security gap while the  command
              is running.



          -q delprof1 -q delprof2 . . .

              (Optional) Specifies the profile(s) to delete  from
              the role.



          -r deluser1 -r deluser2 . . .

              (Optional) Specifies the  user  name(s)  to  delete
              from the role.



          -s shell

              (Optional) Specifies the full pathname of the  pro-
              gram  used  as  the  role's  shell  on login. Valid
              entries are /bin/pfcsh (C shell), /bin/pfksh  (Korn
              shell), and /bin/pfsh (Bourne shell), the default.



          -x autohome=Y|N

              (Optional) Sets the role's home directory. The home
              directory  path  in  the  password  entry is set to
              /home/login_name.



          -x perm=home_perm

              (Optional) Sets the permissions on the role's  home
              directory.  perm is interpreted as an octal number,
              and the default is 0775.



          -M limit_privs

              Specifies the privilege  name(s)  to  modify  in  a
              user_attr(4) entry.
              To add or change privileges, the administrator must
              have  the  solaris.admin.privilege.write authoriza-
              tion. See privileges(5).



          -D default_privs

              Specifies the default privilege name(s)  to  modify
              in a user_attr(4) entry.




          The options to the modify subcommand listed  below  are
          available  only  if a system is configured with Solaris
          Trusted Extensions. See  "Using  Options  that  Require
          Solaris Trusted Extensions," below.


          -x clear=clearanceval

              (Optional) Specifies the role's clearance. clearan-
              ceval can be a string value or a hex value. If this
              option is not specified, the  default,  admin_high,
              is in effect. To set the clearance, the administra-
              tor  must  have  the   solaris.admin.usermgr.labels
              authorization.



          -x label=labelval

              (Optional)  Specifies  the  role's  minimum  label.
              labelval  can  be a string label or a hex label. If
              this  option  is  not   specified,   the   default,
              admin_low,  is in effect. To set the minimum label,
              the      administrator      must      have      the
              solaris.admin.usermgr.labels authorization.



          -x labelview=HIDE|SHOW

              (Optional) Specifies the second part of the  label-
              view   key-value   pair.   If  SHOW  is  specified,
              labelview=*showsl will  be  recorded.  If  HIDE  is
              specified,  labelview=*hidesl will be recorded. The
              asterisk portion can be  replaced  by  "internal,",
              "external,",  or  ""(null).  If  this option is not
              specified, the default, SHOW, is in effect.

          -x view=INTERNAL|EXTERNAL|DEFAULT

              (Optional) Specifies the label view  type  for  the
              labelview  in  user_attr. If INTERNAL is specified,
              labelview=internal will be recorded; if EXTERNAL is
              specified,  labelview=external will be recorded; if
              DEFAULT is specified, nothing will be  recorded  in
              user_attr.  If  this  option  is not specified, the
              default, INTERNAL, is in effect.



  Using Options that Require Solaris Trusted Extensions
     To use an option that requires the  Solaris  Trusted  Exten-
     sions feature, you must use the -B toolbox option to specify
     a toolbox that contains support for Trusted Extensions.  For
     example:

     # smrole add -H myhost -p mypasswd -u root -- -n role1 \
     -F "Engineering Admin" -P abc123 -x clear=clearanceval \
     -B http://<server>/toolboxes/tsol_files.tbx


     In the command above, <server> is the name  of  the  machine
     running  the  Solaris  Management Console. See smc(1M) for a
     description of the -B option.

EXAMPLES
     Example 1: Creating a Role Account

     The following creates the role1 account with a full name  of
     Engineering Admin and a password of abc123 on the local file
     system, and assigns user1 and user2 to the role.  This  role
     has  Name Service Security and Audit Review rights. The sys-
     tem assigns the next available unique UID greater than 100.


     ./smrole add -H myhost -p mypasswd -u root -- -n role1 \
               -F "Engineering Admin" -P abc123 -a user1 -a user2 \
               -p "Name Service Security" -p "Audit Review"


     Example 2: Deleting Role Accounts

     The following deletes the role1 and role2 accounts from  the
     local file system.


     ./smrole delete -H myhost -p mypasswd -u root -- -n role1 -n role2



     Example 3: Listing Role Accounts

     The following lists all role accounts on the local file sys-
     tem in summary form.


     ./smrole list -H myhost -p mypasswd -u root --


     Example 4: Modifying a Role Account

     The  following  modifies  the  role1  account  so  the  role
     defaults  to the Korn shell, includes the user3 account, and
     does not include the user2 account.


     ./smrole modify -H myhost -p mypasswd -u root -- -n role1 \
               -s /bin/pfksh  -a user3 -r user2


ENVIRONMENT VARIABLES
     See environ(5) for a description of the  JAVA_HOME  environ-
     ment  variable,  which  affects  the execution of the smrole
     command.  If this environment variable is not specified, the
     /usr/java location is used. See smc(1M).

EXIT STATUS
     The following exit values are returned:

     0        Successful completion.



     1        Invalid command syntax. A usage message displays.



     2        An error occurred while executing the  command.  An
              error message displays.



FILES
     The following files are used by the smrole command:

     /etc/aliases                    Mail      aliases.       See
                                     aliases(4).



     /etc/auto_home                  Automatic mount points.  See
                                     automount(1M).

     /etc/group                      Group file. See group(4).



     /etc/passwd                     Password      file.      See
                                     passwd(4).



     /etc/security/policy.conf       Configuration file for secu-
                                     rity       policy.       See
                                     policy.conf(4).



     /etc/shadow                     Shadow  password  file.  See
                                     shadow(4).



     /etc/user_attr                  Extended   user    attribute
                                     database. See user_attr(4).



ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWmga                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|


SEE ALSO
     automount(1M),  smc(1M),  aliases(4),  group(4),  passwd(4),
     policy.conf(4),   shadow(4),   user_attr(4),  attributes(5),
     environ(5)










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments