roles - print roles granted to a user
roles [ user ...]
The command roles prints on standard output the roles that
you or the optionally-specified user have been granted.
Roles are special accounts that correspond to a functional
responsibility rather than to an actual person (referred to
as a normal user).
Each user may have zero or more roles. Roles have most of
the attributes of normal users and are identified like nor-
mal users in passwd(4) and shadow(4). Each role must have an
entry in the user_attr(4) file that identifies it as a role.
Roles can have their own authorizations and profiles. See
auths(1) and profiles(1).
Roles are not allowed to log into a system as a primary
user. Instead, a user must log in as him- or herself and
assume the role. The actions of a role are attributable to
the normal user. When auditing is enabled, the audited
events of the role contain the audit ID of the original user
who assumed the role.
A role may not assume itself or any other role. Roles are
not hierarchical. However, rights profiles (see
prof_attr(4)) are hierarchical and can be used to achieve
the same effect as hierarchical roles.
Roles must have valid passwords and one of the shells that
interprets profiles: either pfcsh, pfksh, or pfsh. See
Role assumption may be performed using su(1M), rlogin(1), or
some other service that supports the PAM_RUSER variable.
Successful assumption requires knowledge of the role's pass-
word and membership in the role. Role assignments are speci-
fied in user_attr(4).
Example 1: Sample output
The output of the roles command has the following form:
example% roles tester01 tester02
tester01 : admin
tester02 : secadmin, root
The following exit values are returned:
0 Successful completion.
1 An error occurred.
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWcsu |
auths(1), pfexec(1), profiles(1), rlogin(1), su(1M),
getauusernam(3BSM), auth_attr(4), passwd(4), prof_attr(4),
shadow(4), user_attr(4), attributes(5)
Man(1) output converted with