RBAC Reference

News	Role engineering	Recommended books	Recommended Links	Reference	Solaris privileges sets	Conversion of application accounts to Roles
`user_attr`	`prof_attr`	`exec_attr`	`auth_attr`	policy.conf	Solaris Profile Shells
sudo vs RBAC	Emulation of SUDO using Solaris RBAC		ACLs usage is roles	Profile Shells	Humor	Etc

There are three commands that gives information about a particular user account:

docs.sun.com System Administration Guide, Volume 2

Role-based access control (RBAC) is an alternative to the all-or-nothing security model of traditional superuser-based systems. The problem with the traditional model is not just that superuser is so powerful but that other users are not powerful enough to fix their own problems. Like its predecessor sudo, RBAC provides the ability to package superuser privileges for assignment to user accounts.

With RBAC, you can give users the ability to solve their own problems by assigning them packages of the appropriate privileges. Superuser's capabilities can be diminished by dividing those capabilities into several packages and assigning them separately to individuals sharing administrative responsibilities.

RBAC thus enables separation of powers, controlled delegation of privileged operations to other users, and a variable degree of access control. It includes the following features:

Authorization - A right that is used to grant access to a restricted function

Execution profile (or simply profile) - A bundling mechanism for grouping authorizations and commands with special attributes; for example, user and group IDs

Role - A special type of user account intended for performing a set of administrative tasks

RBAC relies on four databases to provide users access to privileged operations:

user_attr (extended user attributes database) - Associates users and roles with authorizations and execution profiles

auth_attr (authorization attributes database) - Defines authorizations and their attributes and identifies the associated help file

prof_attr (execution profile attributes database) - Defines profiles, lists the profile's assigned authorizations, and identifies the associated help file

exec_attr (profile execution attributes database) - Defines the privileged operations assigned to a profile

The /etc/user_attr database supplements the passwd and shadow databases. It contains extended user attributes such as authorizations and execution profiles. It also allows roles to be assigned to a user.

A role is a special type of user account that is intended for performing a set of administrative tasks. It is like a normal user account in most respects except that it has a special shell pfksh and users can gain access to it only through the su command; it is not accessible for normal logins. From a role account, a user can access commands with special attributes, typically root user ID, that are not available to users in normal accounts.

The fields in the user_attr database are separated by colons:
                                        user:qualifier:res1:res2:attr
attr is a list of semicolon-separated (;) key-value pairs that describe the security attributes to be applied when the user runs commands. There are four valid keys: auths, profiles, roles, and type.

auths specifies a comma-separated list of authorization names chosen from names defined in the auth_attr(4) database. Authorization names may include the asterisk (*) character as a wildcard. For example, solaris.device.* means all of the Solaris device authorizations.

profiles contains an ordered, comma-separated list of profile names chosen from prof_attr(4). A profile determines which commands a user can execute and with which command attributes. At minimum each user in user_attr should have the All profile, which makes all commands available but without any attributes. The order of profiles is important; it works similarly to UNIX search paths. The first profile in the list that contains the command to be executed defines which (if any) attributes are to be applied to the command.

roles can be assigned to the user using a comma-separated list of role names. Note that roles are defined in the same user_attr database. They are indicated by setting the type value to role. Roles cannot be assigned to other roles.

type can be set to normal, if this account is for a normal user, or to role, if this account is for a role. A role is assumed by a normal user after the user has logged in.

Authorizations

An authorization is a user right that grants access to a restricted function. It is a unique string that identifies what is being authorized as well as who created the authorization.

Authorizations are checked by certain privileged programs to determine whether users can execute restricted functionality. For example, the solaris.jobs.admin authorization is required for one user to edit another user's crontab file.

All authorizations are stored in the auth_attr database. Authorizations may be assigned directly to users (or roles) in which case they are entered in the user_attr database. Authorizations can also be assigned to execution profiles which in turn are assigned to users.

The fields in the auth_attr database are separated by colons:

Profiles

profname:res1:res2:desc:attr

An optional list of key-value pairs separated by semicolons (;) that describe the security attributes to apply to the object upon execution. Zero or more keys may be specified. There are two valid keys, help and auths.

The keyword help identifies a help file in HTML. Help files can be accessed from the index.html file in the /usr/lib/help/auths/locale/C directory.

auths specifies a comma-separated list of authorization names chosen from those names defined in the auth_attr(4) database. Authorization names may be specified using the asterisk (*) character as a wildcard.

Attributes

An execution attribute associated with a profile is a command (with any special security attributes) that can be run by those users or roles to whom the profile is assigned. Special security attributes refer to such attributes as UID, EUID, GID, EGID that can be added to a process when the command is run.

The definitions of the execution attributes are stored in the exec_attr database.

The fields in the exec_attr database are separated by colons:

name:policy:type:res1:res2:id:attr

The type of entity whose attributes are specified. Currently, the only valid type is cmd (command).

attr An optional list of semicolon (;) separated key-value pairs that describe the security attributes to apply to the entity upon execution. Zero or more keys may be specified. The list of valid key words depends on the policy being enforced. There are four valid keys: euid, uid, egid, and gid.

euid and uid contain a single user name or a numeric user ID. Commands designated with euid run with the effective UID indicated, which is similar to setting the setuid bit on an executable file. Commands designated with uid run with both the real and effective UIDs.

egid and gid contain a single group name or numeric group ID. Commands designated with egid run with the effective GID indicated, which is similar to setting the setgid bit on an executable file. Commands designated with gid run with both the real and effective GIDs.

How to assume role:

To assume a role, use the su command. You cannot log in to a role. For example:

%su my-role Password: my-role-password #

Command Description

auths(1) Display authorizations for a user.

makedbm(1M) Make a dbm file.

nscd(1M) Name service cache daemon, useful for caching the user_attr, prof_attr, and exec_attr databases.

pam_roles(5) Role account management module for PAM. Checks for the authorization to assume role.

pfexec(1) Profile shells, used by profile shells to execute commands with attributes specified in the exec_attr database.

policy.conf(4) Configuration file for security policy. Lists granted authorizations.

profiles(1) Display profiles for a specified user.

roles(1) Display roles granted to a user.

roleadd(1M) Add a role account on the system.

roledel(1M) Delete a role's account from the system.

rolemod(1M) Modify a role's account information on the system.

useradd(1M) Add a user account on the system. The -P option assigns a role to a user's account.

userdel(1M) Delete a user's login from the system.

usermod(1M) Modify a user's account information on the system.

Command	Description
auths(1)	Display authorizations for a user.
makedbm(1M)	Make a `dbm` file.
nscd(1M)	Name service cache daemon, useful for caching the `user_attr`, `prof_attr`, and `exec_attr` databases.
pam_roles(5)	Role account management module for PAM. Checks for the authorization to assume role.
pfexec(1)	Profile shells, used by profile shells to execute commands with attributes specified in the `exec_attr` database.
policy.conf(4)	Configuration file for security policy. Lists granted authorizations.
profiles(1)	Display profiles for a specified user.
roles(1)	Display roles granted to a user.
roleadd(1M)	Add a role account on the system.
roledel(1M)	Delete a role's account from the system.
rolemod(1M)	Modify a role's account information on the system.
useradd(1M)	Add a user account on the system. The `-P` option assigns a role to a user's account.
userdel(1M)	Delete a user's login from the system.
usermod(1M)	Modify a user's account information on the system.